At the end of May, exactly one year after the General Data Protection Regulation (GDPR) came into effect, Belgium issued a fine – its very first – for infringing that feared privacy legislation. Remarkably enough, the offender turned out to be … a politician! The man had ventured to misuse personal data for election purposes. With that first conviction, the time to sit back and relax about GDPR finally seems over.
Despite the atmosphere of alarm that prevailed in the run-up to the new privacy legislation, the consequences have remained fairly limited in Belgium since its official introduction. And our country’s Data Protection Authority (DPA) has a large share in that. That institution replaced the former Privacy Commission and was immediately given wider powers, including the enforcement of the GDPR rules. However, it took the appointment of a new management committee at the end of last April to finally unleash those powers.
Fines aplenty.
In the meantime, 11 European member states have already issued fines. The largest one was imposed by France. Google received a fine of around 50 million euros from the French government. And then there’s Uber, which was not only fined in France for not reporting data breaches, but also in the Netherlands and the United Kingdom.
Yet it is not just the ‘big ones’ who were fined. The Dutch bank InsingerGilissen, for example, received a penalty of 48,000 euros for responding late to a request for inspection. The French Optical Center received a fine of 250,000 euros because of a security breach of customer data on their web shop. Other fines were imposed for the use of personal data for purposes other than foreseen or for the use of fingerprints without permission. A hospital in Portugal was fined because doctors had access to all medical records within the hospital.
It should be clear from all this that supervisory authorities do indeed dare to fine companies. Moreover, there needn’t always be a gigantic hack or data breach in order to issue a fine. And in most cases, neither the industry a company operates in nor the nature of its business actually comes into play here.
So where do we go from here?
Because Belgium’s DPA has only recently been reformed, we will have to wait and see which points of attention will be on the program. However, we can expect that the focus will be the same as in our neighbouring countries: on government bodies and specifically on the exchange of personal data with and by them, on the security at healthcare institutions and their legal basis for processing personal data, and finally on non-reported data breaches and data breaches that were caused by, for example, a security breach.
In any case, those who did not do so last year must now really work on a GDPR policy. Among other things, it is important to draw up a register of processing activities. In addition, it is advisable to also examine the security of the processed personal data.