Analysis of GDPR Enforcement Cases - Lessons that ASEAN DPOs can learn

GDPR as the standard in Data Protection

While more business, more revenues, and more profitability is good to have, the same is not applicable in the domain of Privacy and Personal Data Protection where organisations need to respect personal data and comply with data protection laws. Inherent complexities involved in understanding, implementing, and being operationally compliant to country-specific laws on an on-going basis is further accentuated in cases of cross-border data transfers which has resulted in GDPR becoming the Gold (de-facto) Standard. New and existing ASEAN laws have been influenced by GDPR principles and requirements. There are lessons that Data protection officers and professionals can learn from these enforcement trends.

2020 | The Year That Was

Although 2020 has gone down in the annals of history, as the year when one of the worst pandemics struck, in our parlance it can also be construed as the year in which GDPR fines and cases doubled. Yet the numbers at the EU member state level are still miniscule and we can expect more enforcement in the coming years.

To a large extent, COVID-19 in itself can be blamed for this ongoing trend as it is forcing working-from-home and surveillance measures, and creating vulnerable networks established by organizations which rushed to digitise their operations. From 29 enforcements to 319 enforcement cases and $1 Million Fine to $304m Fines in CY2018 and CY2020 respectively, the trend is perturbing and is expected to continue.

Companies Affected

A list of 15 companies on whom fines of >1 Million EUR were imposed comprise of names that include corporate heavyweights and household names such as Google, Amazon, H&M, British Airways and Vodafone.

Most Common Enforcement Areas

While the number of enforcements in the EU has doubled from 2019 to 2020 despite COVID19, the number of cases at the member state level (country) is still miniscule. This is set to increase if the trend is an indication of things to come. Luxembourg and Slovenia are the only EU member states yet to have enforced the GDPR whilst Spain has been the most active country in terms of GDPR enforcements. Interestingly, 2 countries/states, Norway and Iceland in the European Economic Area have enforced the GDPR even though they are not EU members.

In an indication that the ICO and respective regulators are serious about enforcing the guideline, 15 companies were fined more than €1m in 2020 (versus 5 in 2019); that makes up 93% of overall fines. 

Google still holds the record fine of €150m in total with 9 other companies have been fined more than €10m in 2020.

Lessons for ASEAN

• Importance of GDPR as a de facto reference standard. Be familiar with it.
• GDPR Enforcements are operational in nature. The contrast against the misconception that the guidelines need only legal compliance. As the GDPR is the standard to which many jurisdictions base their statutes, the cases can also happen to other parts of the world, including ASEAN.
• Key areas to focus on
  1) Comply with data protection principles
  2) Ensure lawful/legal basis for processing (including stricter consent requirements)
  3) Transparency and security of processing
• The cases demonstrate the importance to conduct due diligence on third party processors to ensure secure processing of personal data and to have a risk management programme.
• The cases also show that it is important that the data controller (i.e. organisation) is able to produce evidence of accountability (including cooperation in investigations) to regulators (DPO, DPIA, DP by Design, Data Breach Notification). This would include policies, inventories, risk assessments and maps of data flow within the organisation.

To be prepared to transact with the European market, the knowledge of the DPO would need to be upskilled in the GDPR, as covered by the course CIPP/E.  

Article By: Aman Khajanchi and Leong Wai Chong, CIPM, GRCP.

Based on Webinar: Analysis of 2020 GDPR Enforcement Cases - Lessons that ASEAN DPOs can learn 
https://www.dpexnetwork.org/events/analysis-2020-gdpr-enforcement-cases-lessons-asean-can-learn/

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official view or position of DPEXNetwork.