06 Jun 2019
The 25th May 2019 marked the one-year anniversary of the General Data Protection Regulation (GDPR). Administrative fines, data breach notifications, complaints and Data Protection Officer (DPO) appointments from private and public sector Organizations have been recorded in Cyprus.
During this year the Office of the Cyprus Commissioner for Personal Data Protection have received plenty of complaints about marketing messages, unauthorized access/disclosure of personal data, not responding to the right of access request, and the lawfulness of the Closed-Circuit Television systems. In addition, 49 data breach notifications have been recorded. The office of the Commissioner imposed 9 fines totalling €36.900 while it issued 16 decisions on Data Protection issues and conducted several own initiative investigations. A part of the private and public sector organisations appointed a Data Protection Officer.
The EU Data Protection Authorities (DPAs) have shown strong implementation and fined 91 Organisations for GDPR violations in this first year. The sum of fines amount to approximately €56 million, including €50 million against a single Company. The EU DPAs tended, at the beginning of GDPR’s enforcement phase, to adopt a constructive approach, as they did not wish to put companies out of business with fines so high that a company would be incapable of fixing the problem. They aimed at incentivizing companies to comply with the GDPR, advising them that if they do not, this lenient approach will change and the fines will inevitably get higher.
GDPR has become a part of our lives and it is here to stay. The era of leniency, as the public comments suggest, is about to change and companies are expected to embed GDPR and a data protection culture into their business cores.
GDPR compliance is an ongoing challenged process, requiring time, dedication and commitment. Companies need to adopt a GDPR compliance program which is customised to their business needs and ensure that they are keeping aligned with GDPR requirements, guidelines and enforcement decisions from DPAs.
One of the biggest challenge of GDPR compliance is that it requires financial and employee sourcing or outsourcing. Choosing the right people to assume the Compliance project is not easy. It is observed that the threat of high fines for non-compliance has drawn the Companies’ attention to GDPR and increased the demand for privacy professionals to engage this project. According to a new research of the International Association of Privacy Professionals (IAPP) estimates that 500,000 European organizations have registered data protection officers (DPOs) within the first year of the GDPR. Since organizations are permitted to use external DPOs who in turn may serve multiple organizations, the IAPP expects the number of actual DPOs to be lower than the total count of organizations.
Making efforts to comply with GDPR and change the culture within your business, despite the workload and costs associated ‘’offers a payoff down the line, not just in better legal compliance, but a competitive edge’’ as the UK Information Commissioner Elizabeth Dedham said at the recent Data Protection Practitioners Conference. She also elaborated by saying that:
“Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.”