Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.
 

EU Regulators discuss their GDPR enforcement buildup, focus and approach

By Lewis Barr | Posted on April 25, 2018

EU Regulators discuss their GDPR enforcement buildup, focus and approach

The International Association of Privacy Professionals is the world’s largest information privacy organization. Last week, I attended IAPP’s data protection conference in London where UK Information Commissioner Elizabeth Denham and representatives from the data protection authorities (DPAs) of Ireland, France and the European Data Protection Supervisor (EDPS) spoke about their preparation for enforcing the EU General Data Protection Regulation once it takes effect on May 25 of this year. Not surprisingly, the regulators reminded us that there would be no grace period when it came to enforcing the law.

How regulators are preparing for GDPR

In her keynote speech, Commissioner Denham was keen to point out that her office would continue to engage with business to promote better data protection practices and to support international data flows and emphasized her belief that privacy and innovation go hand in hand. She spoke about the variety of enforcement tools that her office will deploy in response to finding GDPR violations, depending on the circumstances of the violations. These tools range from official warnings to compulsory audits and orders to stop processing. Commissioner Denham made it clear, however, that in the event of persistent negligence or deliberate flouting of the law, her office would not be shy in imposing appropriate fines.

All the DPAs present spoke of the work their respective offices have undertaken to get ready for May 25 and beyond. Beyond the guides and model tools that have been prepared and shared online by the regulators’ offices (e.g., UK ICO Guide to the GDPR, CNIL guidelines and PIA templates, and Ireland DPC resources), they have been hiring up staff and, in particular, expanding their complaint management departments. It is worth noting, in this regard, that the DPAs already receive and investigate a surprising number of complaints. For example, John O’Dwyer, Deputy Commissioner of the Office of the Data Commissioner for Ireland, stated that the Ireland DPA handled 2,500 complaints last year, but expects that number to increase significantly under the GDPR. The UK Information Commissioner’s Office (ICO), which has the largest staff of all the member state regulators, is planning on increasing the number of caseworkers handling complaints to 200 by 2020, with a total projected headcount increase for the office from 520 to 700, of which 60 will be engaged in enforcement with an equal number providing guidance to the public and privacy community.

Focusing GDPR enforcement

With the myriad privacy challenges presented by developing technologies and the broad protection mandates for their agencies, the regulators all agreed on the need to focus their GDPR enforcement efforts on several areas of concern. For businesses with establishments or business markets in Ireland and the UK, the initial focuses of the Ireland and UK DPAs should be of particular interest. Commissioner Denham stated that the UK ICO will be focusing on cybersecurity, artificial intelligence (AI) — think algorithms and device tracking — and that her office will be developing a “regulatory sandbox” for developers to present AI proposals for privacy protection review. The Ireland DPA, Deputy Commissioner O’Dwyer, stated that important areas of focus for Ireland’s office will be transparency and the rights of children. The EDPS representative informed us that her office had been developing IT tools, such as common complaint formats, to support efficient information exchange and cooperation among EU member states in investigating and resolving complaints.

An ongoing commitment to protecting people

While some news organizations are focused on May 25 as the date on which the GDPR takes effect, the compliance and accountability work will be ongoing. As for the focus of companies under the aegis of the GDPR and the privacy professionals advising them, former UK Information Commissioner, Richard Thomas, nicely summed up what it should be during a discussion on managing privacy across the value chain by urging that we banish the use of the term “data subjects” and keep in mind that the GDPR is all about protecting people — men, women and children.

Popular Posts

About the author

Lewis Barr

General Counsel and VP, Privacy

Lewis manages Janrain's legal compliance and privacy functions as the company continues its international expansion. He brings more than 15 years of leadership in a wide range of legal and privacy-related matters for growing technology companies. Lewis also utilizes his diverse background as a litigator in private practice, federal appeals court staff attorney, and teacher. Prior to Janrain, Lewis was General Counsel and Secretary of Fios, Inc. and before that, he was General Counsel of New Edge Networks (now EarthLink Business). Lewis holds a Juris Doctor degree from the University of Missouri School of Law and a Bachelor's Degree from Georgetown University’s School of Foreign Service. He is also a Certified Information Privacy Professional (CIPP/US).

View all posts by Lewis Barr