2019 was expected to be the “year of the data breach”, or more specifically, the time we would see the real impact of the GDPR in the sense of regulatory authorities starting to make use of their hefty new powers under the regulation. We anticipated, in our recent article, that the anniversary of GDPR would mark a key milestone for regulators who, having taken the time to work through the backlog and investigate breaches declared as required by GDPR, would likely start demonstrating and using those powers - in particular, issuing fines. In fact, in her latest newsletter, Elizabeth Denham the UK Information Commissioner, confirmed the same, saying “many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public.”
The message is clear – any unwritten grace period for compliance is over. It is no longer enough for companies to say they will or are taking steps to comply; the accountability principle is live – you either comply or risk being caught out and subject to the sanctions that the regulators are not afraid to impose. The Information Commissioner further reinforced the idea saying, “for those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively.”
Now is the time to ramp up your compliance programs if you have already started – and certainly get them well underway if you have not. It would also be advisable to refresh and audit your compliance given the passing of the one-year anniversary.