Nearly one year after application of GDPR: what's the status?

Emmanuelle Ragot, partner head of data/IP/TMT at Wildgen Wildgen

Emmanuelle Ragot, partner head of data/IP/TMT at Wildgen Wildgen

In her role as partner head of data/IP/TMT at Wildgen, a Luxembourg law firm, Emmanuelle Ragot shares her thoughts on the status of GDPR, nearly one year on. 

The General Data Protection Regulation (GDPR) has been applied since 25 May 2018. Although the GDPR is a regulation by opposition to a directive, therefore directly binding and applicable, areas within the regulation require the EU member states to supplement the GDPR with local legislation. 

Luxembourg has already enacted GDPR law in August 2018, but five EU member states have not yet passed such legislation. Bulgaria, Czech Republic, Greece, Portugal and Slovenia still need to adapt their legal frameworks to the new EU-wide rules. 

Concomitantly, this year has stressed the importance of the GDPR in the light of recent large-scale data breaches. As data practitioners, we are witness to the positive outcome the GDPR has had in raising the awareness on data protection and rights/requirements available to organisations and citizens.

According to the latest information released by the EU Commission, the national data protection authorities (DPA) have received more than 95,000 complaints from citizens since May. Most of the complaints reported to the national DPA were relating to telemarketing, promotional emails and video surveillance/CCTV (40,000 data breach notifications reported to national data authorities across the EU, 255 ongoing investigations by national data authorities of cross-border GDPR violations). 

The largest fine issued for lack of consent to processing personal data was in the sum of €50,000,000. In Luxembourg, 172 data breaches have been reported to the National Commission for Data Protection (CNPD) between May and December 2018, the majority of which are related to electronic communication incorrectly addressed to a third party. 

Companies have integrated the data minimization, i.e., the fact that “data must be collected in an adequate, relevant and limited to what is necessary”.  The GDPR favors data quality instead of data quantity and the protection of data subject’s rights. 

Even though the below list is not exhaustive, GDPR’s requirements are better perceived as a potential source of an important value to: 

  • Avoid litigation with data subjects/consumers;
  • Strengthen trust in products and services from a commercial and reputational point of view; 
  • Renegotiate agreements with partners, suppliers--the position of a company complying with GDPR’s provisions is stronger in the context of the review and amendments of contracts with its counterparts;
  • Reduce the risk of cyberattacks. 

It is fair to observe that even though compliance with GDPR is not optional, a certain number of organisations are still not fully GDPR compliant or not even totally trained.

Nevertheless, there is a clear awareness in the necessity of a modern data protection regime which facilitates data transfers and supports trade and also convergence with non-EU member states; recently, the EU has adopted mutual adequacy of data transfer with Japan and has announced discussion with South Korea.