Putting trust to the test
In 2018, private companies and public authorities made efforts to ensure compliance with the new data protection legislation, and have planned to focus on other topics in 2019. Many of them will discover that this is going to be difficult.
Some companies and public authorities have actually made huge investments to ensure data protection and privacy for their clients and employees. Numerous data processing agreements and privacy declarations have been revised. Hundreds of data protection officers have been appointed and there have been established internal policies and instructions, based on thorough risk and consequence assessments. The ground is well prepared for building trust. Not only should the individuals be able to trust the data controllers. Professionals parties that in some way cooperate to process personal data should also be able to trust each other.
In 2019, this trust will be put to the test. In principle, the national supervisory authorities shall enforce the data protection legislation, through inspections and heavy sanctions. As their recourses are limited, enforcement also relies heavily upon the actions of the individuals and of the responsible parties. We share a joint responsibility to ensure that personal data are processed in accordance with the regulation. The individuals are expected to control how their personal data are processed, using their right to access. The individuals may also ensure that any infringements have consequences, using their right to file complaints to the supervisory authorities or to claim compensation for damage. The data controllers and processors are expected to perform regular audits and require documentation for compliance by their processors and other business partners. Where they discover infringements of the regulation, they must notify the supervisory authority and are also expected to enforce their contractual rights to termination and compensation.
So far, there are only a few signs that the enforcement mechanisms have begun to work. The Norwegian supervisory authority have been busy establishing new methods and work processes, and apparently they have not been able to perform as many inspections as expected. No controllers have yet reported that they have had as many requests for access as they expected, and the ink on the data processing agreements have only just begun to dry. However, when the different parties first start to rattle, their actions will create a domino effect and affect many parties of this » digital eco-system». It is hard to predict when this will happen and what kind of companies or authorities that will first be affected. In particular, companies that are data processors of some kind should expect increased attention and new requirements from their customers in 2019.
The GDPR is a complex and difficult regulation, and many questions need clarification through case law from European courts and supervisory authorities. Therefore, there is a high risk that mistakes have been made in the effort to ensure compliance, even some that are quite serious. However, I believe that the companies and authorities that have not yet made an honest effort to try to ensure compliance with the regulation pose a larger threat to the trust that others have invested in. They are the weakest link.
The article was published first in Finansavisen, 31 December 2018