Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM EContentMag Faulkner Information Services Fulltext Sources Online InfoToday Europe Internet@Schools Intranets Today KMWorld Library Resource Literary Market Place OnlineVideo.net Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed
 



GDPR 2020: Where Compliance Lands Now
by
Posted On August 11, 2020
The General Data Protection Regulation (GDPR) has successfully passed its second-year mark, and with that, the European Commission (EC) has issued its first evaluation report highlighting progress made, challenges encountered, and objectives for moving forward. Additionally, the GDPR has proved itself to be a flexible regulation in support of digital solutions during the coronavirus pandemic.

These days, when substantial portions of the workforce are being asked to work from home and children are being taught in virtual classrooms, the requirement for robust data privacy and protection is needed now more than ever. The GDPR offers guidance, support, and standards as the world follows its new routine in response to COVID-19. 

Two Years In: The EC Reports on the GDPR

On June 24, 2020, the EC published its first GDPR evaluation report, “Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition - Two Years of Application of the General Data Protection Regulation.” It reviews GDPR objectives, focusing on how many of these targets were met. To date, the success of the GDPR has been spearheaded by citizens exercising their enforceable rights, governance, and compliance enforcement.

Moving forward, the EC understands the need to have a common culture of data protection with more efficient data-handling throughout all member states, stressing that all GDPR tools must be used to their utmost capacity to ensure that the regulation is applied to its fullest. GDPR assessment remains ongoing; the EC has drafted a list of action items to focus on before the next evaluation report comes out in 2024.

Your Rights Matter: Data Protection and Privacy

At the request of the EC, the European Union (EU) Agency for Fundamental Rights (FRA)—which is tasked with promoting and protecting human rights in the EU—conducted a study focusing on GDPR awareness and the way people share data about themselves. This study, “Your Rights Matter: Data Protection and Privacy - Fundamental Rights Survey,” was published on June 18, 2020.

The following two survey questions that we will look at fall under the topic of awareness:

  1. Awareness of the GDPR—“Have you heard of the General Data Protection Regulation - GDPR?” Survey takers could answer yes or no. Overall, 69% of people in the 27 (this number excludes the U.K.) EU countries are aware of or hear about the GDPR. Results are broken down by country.
  2. Awareness of data protection authorities—“Have you ever heard of any of the following? Please respond with the first thing that comes into your head.” In the survey, this question was followed by the name of the respective supervisory authority for data protection (DPA) in that country. Overall, 71% of people in the 27 EU countries have heard about their national DPA. Topping the charts was the Czech Republic, where most have heard about their DPA (90%). Of the EU countries, Belgium showed that the fewest number of individuals had heard about their respective DPA (44%), and outside the EU, even fewer in the U.K. (35%).

Two Years of Litigation and Fines: An Overview

Over the past 2 years, subjects of the GDPR’s enforcement range from large corporate multinational organizations to charities, nonprofits, and even individuals. It was estimated that in the first 20 months of the GRPR, approximately €114 million (about $135 million) in fines were issued. The following handpicked examples show the depth and breadth of the GDPR’s reach.

Google

Google has been subject to several violations, totaling €57.6 million (about $68.4 million). Cases were filed in Belgium, Sweden, and France. Violations of Articles 5 and 6 appear in all three examples listed below.

GDPR Table - Google

Source:

GDPR Enforcement Tracker

GDPR articles:

Article 5

Article 6

Article 12

Article 13 

Article 14

Article 17 (1) (a)

British Airways

British Airways has pending litigation due to a cybersecurity incident in 2018 in which users were diverted to a fraudulent site that collected customer data. It is estimated that approximately 500,000 individuals were affected beginning in June 2018. 

Table 2 - British Airways

Source:

GDPR Enforcement Tracker

GDPR article:

Article 32

Tusla Child and Family Agency

Tusla is a state agency in Ireland responsible for improving the well-being and outcomes for children. It has been fined twice under the GDPR. The first was for three instances in which information about children was wrongly disclosed to unauthorized parties. The second was for insufficient fulfillment of a data breach notification. In this case, a letter documenting allegations of abuse was sent to a third party. The third party then uploaded this letter to social media.

Table 3 - Tusla

Source:

GDPR Enforcement Tracker

GDPR article:

Article 33

GDPR Enforcement Against Individuals 

While high-profile litigation peppers the news, it is important to recognize that GDPR enforcement is not limited to the business community. The following two examples highlight situations in which individuals were fined.

The first example is from Germany, where a man was fined for a YouTube video containing license plates. In the second example, a soccer coach in Austria was fined after filming players taking a shower (without their consent). 

Table 4 - individuals

Source:

GDPR Enforcement Tracker

In addition to these handpicked examples, there is litigation pending due to GDPR violations for tech giants Twitter, Facebook, and WhatsApp (which is owned by Facebook). It is unclear how soon decisions on these cases will be released.

A Global Crisis Doesn’t Halt Data Protection

The EU’s stance is clear: Its data protection legislation does not negatively impact measures taken in fighting COVID-19, nor are the provisions of the GDPR to be overlooked due to the pandemic. Prior to the pandemic, there was still a distributed workforce, meaning employees would work from home, while on the road, or from other off-site locations. The pandemic greatly increased the number of home-based workers, of course, meaning that employers were urged to comply with internal, local, or national directives supporting the health, safety, and well-being of their employees.

While it’s both a legal and ethical obligation for organizations to keep the health and well-being of their employees at the forefront, it is also critical that they have data safety and security measures in place for their workforce. Data protection should not be viewed as a barrier to working from home, but organizations will need to factor in the same types of security measures they had in place when employees were on-site or using company devices. These measures are especially important if employees are expected to use personal devices for work-related tasks. 

Regardless of where an employee is working, the GDPR’s Recital 83 stipulates that personal data must be protected at rest and in transit. Data in transit is when data is being accessed, and data at rest refers to storage (e.g., on a hard drive or USB device).

Due to the pandemic, organizations have reported concerns that their data protection practices may falter and not meet their usual standard or that response times may lengthen. While statutory timetables cannot be altered, the U.K.’s Information Commissioner’s Office (ICO), for example, acknowledges that there may be delays when responding to information rights requests during this time. 

The following are five good practices to stay GDPR-compliant with a newly distributed workforce:

  1. Update your cybersecurity policy to include “working from home.”
  2. Train employees on the cybersecurity policy and what is expected from them.
  3. Keep data encrypted whether in transit or at rest.
  4. Limit access to sensitive data.
  5. Keep your connections secure (e.g., organization or corporate VPN).

For more information, click here, here, and here.

How the GDPR Impacts Community Groups During the Pandemic

During these difficult times, individuals are coming together to help vulnerable populations. Neighborhood groups, church groups, homeowner associations, and other small groups are working alone or joining together to help those in greatest need. These types of groups must generally handle sensitive personal information and share it with others, which then triggers data protection legislation. But this should not stop groups from helping those in need.

The following are five general guiding principles for community groups:

  1. Be clear with your intentions. Be open and honest about why you need the information, what you will do with it, and who it will be shared with.
  2. Share the information when it benefits public safety. Share data that could help someone who is homebound receive resources that will improve their quality of life. Not sharing this data could do more harm.
  3. Keep it lawful. Assess legitimate interest, vital interest, and consent to use personal data received. 
  4. Ensure data is secure. You’re responsible for the data you collect. Data should be secured on a device or in a locked location, for example.   
  5. Only collect what you need. Collect only data you need to help the vulnerable person. When the data is no longer needed, ensure it is destroyed.

For more information, click here, here, and here

Looking Ahead

The GDPR will continue in its forward-thinking trajectory, focusing on strengthening objectives, informing citizens of their rights, and coordinating practices of EU member states. In 2024, when the next evaluation report is published by the EC, it will be interesting to see not only how the GDPR has advanced, but also how it has globally impacted data protection and privacy partnerships.


Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GIS), and data/information governance issues. Prior to joining FireOak, Kelly was with the Digital Initiatives Unit at the University of Alberta, where she worked with GIS, metadata, spatial, and research data. She served in various municipal planning and development capacities working with GIS, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.



Related Articles

5/8/2018Ex Libris Creates Trust Center for GDPR Prep (and Other Information)
5/15/2018Microsoft Trust Center Offers Resources on GDPR Compliance
5/17/2018EDM Council Studies Data Management and the GDPR
5/22/2018Europe's GDPR to Set New Standards in Data Protection and Privacy Law
5/29/2018RedLink Updates Remarq
6/5/2018ARL Rolls Out Issue Brief on GDPR and Libraries
8/7/2018Archive360 to Host Webinar on California Privacy Act
10/30/2018Social Media Platforms Tangle With Congress and the European Union
12/4/2018Six Months of the GDPR's Pioneering Data Protection and Privacy
2/5/2019'Trends to Watch 2019: GDPR Goes Global' by Logan Finucan
6/25/2019The First Anniversary of the GDPR: Reflections on the Past Year
10/1/2019diginomica Provides an Update on GDPR Compliance
9/15/2020TikTok's User Data Security Becomes a Political Issue
10/13/2020Facebook, COVID-19, and Disinformation: The Paradox of Unlimited Global Information
10/13/2020'Google and Facebook Hate a Proposed Privacy Law ' by Jason Kint
10/20/2020Cybersecurity Collaborative Offers Funding to Subsidize Membership


Comments Add A Comment

              Back to top