GDPR’s goal was to ensure that organisations don’t violate individuals’ rights when handling their personal data.
Yes, there are concerns about its status and applicability, with it having to evolve in response to legal challenges (e.g. the Schrems II decision) and developing technology like AI. But the UK and EU data protection authorities are continuing to rely on it to pursue privacy violations. Particularly because compliance remains patchy, even amongst large corporations that have significant resources to throw at it.
Meta is a prime example, having been fined multiple times for failing to comply, e.g.
- Whatsapp was fined €225m for failing to inform users about how it shared data with Facebook.
- Instagram was fined Euro 405m by the Irish Data Protection Authority for various violations involving the processing of children’s data.
The holding/ processing of data by group companies is also being scrutinised, particularly data held on software that is based in/ accessed via more than one country. For example, the Irish Data Protection Commission recently announced an investigation into TikTok for:
- the transfer of user information/personal data to China through the company’s chain of ownership, and
- the way they process children’s data.
US companies with EU subsidiaries can no longer rely on US-EU Privacy Shield (invalidated by the Schrems II decision). Even group companies doing something as basic as sharing personal data for legitimate administrative purposes like staff payroll need to ensure compliance with the rules.
Enforcement action is starting to impact smaller businesses too, particularly those in technology. You can see a list of GDPR fines here – some examples include Clearview AI (€9m fine for non-compliance with general data processing principles), Easylife (€1.5m fine for insufficient legal basis for data processing), Nestor (€20k fine for insufficient fulfilment of information obligations) and SlimPay (€1.8k fine for insufficient technical and organisational measures to ensure information security).
Call to action:
- Continue to assess what personal data is held and processed, particularly in relation to new products/ services/ markets.
- Document it and do a risk-assessment for each instance.
- Ensure you have inter-company agreements for group companies that include updated ‘standard contractual clauses’ (unless you have implemented binding corporate rules, or can use a relevant exemption).
Do you have all of the correct safeguards in place to ensure the safety of the personal data you process? Aphaia provides both GDPR and Data Protection consultancy services and Data Protection Officer outsourcing. If you need help getting back on track to full compliance, get in touch with them here.