Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed

Six Months of the GDPR's Pioneering Data Protection and Privacy
Posted On December 4, 2018
As Europe’s General Data Protection Regulation (GDPR) gains momentum—impacting data privacy on a global level—we are just beginning to see reports, cases, and instances in which the GDPR is enforced. Whether through warnings, sanctions, or fines, the GDPR is taking the initiative in data privacy enforcement.

A Brief Review

After having rolled out on May 25, 2018, the GDPR has passed its 6-month milestone. It answered the call for a strengthened, uniform, and comprehensive approach to dealing with data privacy. To recap, “general data” pertains to all personally identifying information of individuals who are located within the territorial scope of the European Union (EU). In the U.S., we generally refer to this type of data as personally identifiable information (PII).

The GDPR addresses the following key rights of data subjects:

  1. The right to be informed (Articles 1314)
  2. The right of access (Article 15)
  3. The right to rectification (Article 16)
  4. The right to erasure, aka “the right to be forgotten” (Articles 17 and 19)
  5. The right to restrict processing (Articles 1819)
  6. The right to data portability (Article 20)
  7. The right to object (Article 21)
  8. Rights related to automated decision making and profiling (Article 22)
  9. Restrictions (Article 23)

According to Article 3, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” This means that if you are processing the personal data of individuals located within the EU, whether or not the processing itself occurs on European territory, the GDPR is enacted and enforceable.

Violating the GDPR potentially comes at a heavy price. Compliance violations could lead to fines of up to €20 million (about $22.6 million) or 4% of global annual turnover. For other breaches, fines are up to €10 million (about $11.3 million) or 2% of global annual turnover. In both cases, whichever amount is greater applies.

Themes From the First 6 Months


As May 25 passed, it was estimated that a significant percentage of organizations processing GDPR-governed data were not in 100% compliance with the regulation. However, concretely showing a good-faith effort of progressive compliance was key.

Core requirements of the GDPR (e.g., providing documentation in the event of an audit, producing records of processing events at the time of request, and meeting the 72-hour breach notification window) all contribute to organizational anxiety. This impacts an organization’s compliance confidence.


The role(s) responsible for ensuring GDPR compliance vary by organization (e.g., the IT, finance, or legal department). There is no hard-and-fast rule for designating compliance roles. However, if an organization isn’t firm in assigning responsibility and expected mandates, GDPR compliance will ultimately suffer.

Surviving the GDPR regulatory audit

A GDPR regulatory audit comes from an outside agency (a regulator) and can be likened to the slippery slope of an IRS audit. No organization wants one—it can happen without ample warning, it can result in fines, it causes a negative public image, and it leaves an organization in a state of unrest.  

Enforcement Examples From Around the World

Facebook fan pages

On June 5, not 2 weeks after the GDPR took effect, the Court of Justice of the European Union (CJEU) released a decision on whether an administrator of a Facebook fan page is considered a data controller under the GDPR.

Business Academy Schleswig-Holstein, an education company based in Germany, was the administrator of a Facebook fan page used to market its services.

The violation? The Facebook fan page stored cookies to collect data about the person accessing the page.

Consequently, a German data protection authority ordered the fan page to be deactivated for lack of transparency because users were not informed about any personal data collection.

Business Academy Schleswig-Holstein argued that it was not responsible for the processing of personal data by Facebook; however, the CJEU issued a ruling that the fan page administrator was indeed a joint data controller and thus liable.


The first U.K. enforcement action came as a surprise in that the organization to receive an enforcement notice was AggregateIQ, which is based in Canada.

On July 6, the U.K.’s Information Commissioner’s Office, in no uncertain terms, cited AggregateIQ as within the territorial scope of the GDPR under Article 3(2)(b). The legal enforcement notice declares the company a controller as defined in Article 4(7). While the data investigated goes back to political campaigning in 2016, the concern is that it was still being held as of May 31, 2018, and that it had previously been subject to unauthorized access by a third party.

The violation? Failure to comply with Article 5(1)(a–c) and Article 6 (i.e., those relating to data processing) of the GDPR.

The notice says that data was processed in a manner by which the data subject was unaware, for purposes outside of expectations, and without a lawful basis for processing. It also claims that AggregateIQ is in violation of Article 14(1)(2)(5) (information to be provided when personal data has not been obtained from the data subject). Additionally, it states that the maximum GDPR penalty of €20 million could be imposed. This case is still pending in court.

Austrian entrepreneur

In October, the Austrian Data Protection Authority issued its first fine for GDPR noncompliance. While speculation dictated that the first sets of fines would likely go to larger organizations, the infringing party here is an entrepreneur.

The violation? The business set up a CCTV camera in front of its building that recorded a substantial portion of the sidewalk.

According to the Austrian Data Protection Authority, this action constituted large-scale monitoring of a public place, which is not permissible under the GDPR. In addition, the camera used was not properly marked, meaning the required transparency obligations noted in the GDPR were not followed.

The fine in this matter was proportionate to the business’ income, in the amount of €4,800 (about $5,430). The Austrian Data Protection Authority holds a position that fines should be fair and equitable, which means an organization with a gross annual income of €40,000 (about $45,000) is unlikely to be slapped with the maximum €20 million fine.

Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GIS), and data/information governance issues. Prior to joining FireOak, LeBlanc was with the Digital Initiatives Unit at the University of Alberta, where she worked with GISs, metadata, spatial, and research data. She served in various municipal planning and development capacities working with GISs, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.

Related Articles

5/8/2018Ex Libris Creates Trust Center for GDPR Prep (and Other Information)
5/15/2018Microsoft Trust Center Offers Resources on GDPR Compliance
5/17/2018EDM Council Studies Data Management and the GDPR
5/22/2018Europe's GDPR to Set New Standards in Data Protection and Privacy Law
5/29/2018RedLink Updates Remarq
6/5/2018ARL Rolls Out Issue Brief on GDPR and Libraries
8/7/2018Archive360 to Host Webinar on California Privacy Act
10/30/2018Social Media Platforms Tangle With Congress and the European Union
1/24/2019A Win for the 'Right to Be Forgotten' for a Doctor in the Netherlands
2/5/2019Celebrate Safer Internet Day on Feb. 5
2/5/2019'Trends to Watch 2019: GDPR Goes Global' by Logan Finucan
6/4/2019WIRED Explains the European Union's New Copyright Law
6/25/2019The First Anniversary of the GDPR: Reflections on the Past Year
10/1/2019diginomica Provides an Update on GDPR Compliance
8/11/2020GDPR 2020: Where Compliance Lands Now
1/26/2021The Boston Globe Debuts Fresh Start Program to Update Past Coverage
7/13/2021GDPR 2021: A Review and Roundup
11/29/2022Meta Runs Into Trouble From the GDPR

Comments Add A Comment

              Back to top