It’s been nearly a year since the European Union’s General Data Protection Regulation (GDPR) became enforceable. In that span of time, news outlets have reported various stories largely concerning the regulation and its penalties scheme. In January 2019, for instance, the world learned that France’s data protection regulator CNIL had fined Google 50 million euros for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization,” as reported by BBC News. Several months later, officials in the UK and Ireland told The Wall Street Journal that they expected to announce large fines for other organizations beginning in the summer of 2019.

Notwithstanding this coverage, the significance of GDPR’s one-year anniversary extends beyond regulatory fines and penalties. The European Data Protection Board (EDPB) confirmed as much in its first overview report of the regulation. This publication sheds light on how the national supervisory authorities (SAs) of EEA (the European Union 28, Iceland, Norway and Liechtenstein) have worked together to consistently enforce the GDPR within its first year.

Let’s take a moment now to examine the main findings of this report.

Implementation at the National Level

The EDPB report found that the SAs of EEA reported a total of 206,326 cases within the first year of GDPR’s implementation. All of these cases pertained to one of three subject matters. Close to half (94,622) dealt with complaints, while 64,684 of those reports concerned data breach notifications. The remaining cases focused on “other” issues.

Within that time period, authorities closed just over half (52 percent) of those cases.

GDPR stipulates that SAs have different types of corrective powers which they can use with an offending data processor or controller. These rights include issuing warnings, handing down reprimands, ordering that the entity bring its operations into compliance with the regulation (Read more...)