EU GDPR – Organisations can run but they cannot hide.

Posted on April 19, 2017


In response to my earlier blog ‘EU GDPR Fines Clarified – Cutting through the ‘FUD’ for clarity as to how organisations will be exposed to fines under The European General Data Protection Regulation (GDPR), it is unlikely the Supervisory Authorities are going to come out swinging, looking for heads to roll. For the simple fact that most Regulatory Authorities are already being challenged with the task of resourcing the new head count they will need to police the regulation.

The breach transparency reporting obligations are without doubt one of the most obvious areas that should motivate organisations to get ready for GDPR (Article 33 & 34). However the real power is quiet possibly going to come from a les obvious source. It could be very much with the people to hold organisations to task if they do not honour their obligations under GDPR. This means more than fines, it will increasingly deliver killing blows to brands and businesses who try to play fast and loose with their GDPR obligations.

We can expect to see individuals, the ‘Data Subjects’ (Article 4(1)), becoming educated about how their information can be used and how they will be able to control it under the GDPR. Two such powers that illustrate the implications of this and the transparency that will be imposed on organisations GDPR readiness are:

  1. Article 15 Right of Access by the Data Subject– Better known as Subject Access Requests (SAR), where organisations must respond to SARs “without undue delay and at the latest within one month”. This will no doubt drive many complaints if organisations cannot handle this.
  2. Article 77 The Right to lodge a complaint – The ability to log complaints against companies which could be the trigger for mandatory audit by their Supervisory Authority. Any such audit becomes the catalyst to exposing non-compliance and in such event the inevitability of penalties. The significance of this lies in Article 78 which goes on to make it clear that if the Supervisory Authority does not pursue the complaint satisfactorily within 3 months the data subject can seek ‘effective Judicial remedy’ against the Supervisory Authority. So be assured the complaints are likely to result in audit to some degree on the targeted organisation.

It is highly likely that privacy literate data subjects will drive much of the initial activity of the Supervisory Authorities. The first wave of complaints that will no doubt start flooding in will come because of companies that are not able to respond to SAR’s within 30 days or adequately and incur the wrath of customer’s who then trigger complaints to the Supervisory Authority. Just a single complaint will prospectively begin a virtuous cycle of enforcement as the Supervisory Authorities audits start rolling. Organisations will soon realise with GDPR they cannot get away with just offering lip service as they have done with the former data protection regulation.

Expect to see targeted efforts from some groups against come companies or sectors as a form of consumer protest or other moral driving force ie: Animal Rights. As organisations have come to terms with digital Distributed Denial of Service (DDoS) attacks on their networks, they will need to get ready for a new class of DDoS in the form of letters and email SAR’s, knowing that it will only take ONE to bring the spotlight on their GDPR readiness.