5 years of GDPR: There is still a long road ahead
GDPR is five years old this week. We have a look at its impact – how it’s being monitored and what we can expect in future.
The General Data Protection Regulation (GDPR) is a European Union law that governs the way in which we use, process, and store personal data.
It came into effect 5 years ago today, on 25 May 2018, and has challenged lawmakers, website owners and their users to re-evaluate the use of data – from collecting it, to using it and what happens to it afterwards.
The Data Protection Commission (DPC) is the supervisory authority for GDPR in Ireland. Its recently released annual report includes some interesting details of 2022’s efforts to enforce effective data protection, including punitive fines in excess of €1 billion issued, the conclusion of 13 large-scale inquiries, the resolution of 10,008 individual cases and observations in relation to 30 pieces of new legislation.
Challenges for website owners
GDPR is branded as the world’s toughest privacy and security law. It means that if you collect customer, prospect, or employee data, or give individuals the opportunity to have their say on your website, you need to know where the data is at all times.
In other words, you need to ensure you track it, react to it, then make a conscious decision to use it or (securely) lose it.
Our Data Protection Officer Maeve Dunne has written extensively on how to make sure your handling of data is fully compliant. Basically, you need to know what personal data you hold, where it is stored, and who has access to it.
We take a look at some of the cases handled by the DPA in 2022 and the impact that data regulation has had on website owners.
1. An access request and what this entails
The DPC received a complaint regarding a subject access request made by an individual to an organisation (the data controller) for a copy of all information held regarding his engagement with the data controller.
The complainant was not satisfied with the fact that certain documents had not been provided in response to his access request.
As the DPC noted, data protection access rights are not about access to documents per se, they are about access to personal data.
An access request may be fulfilled by providing the individual with a full summary of their data in an intelligible form. The form in which it is supplied must be sufficient to allow the applicant to become aware of the personal data being processed, check they are accurate and are being processed lawfully.
Things to watch for
Web users have a right to obtain information about the personal data you hold about them and to request that it be corrected or deleted at any time. They should be easily able to access the right options to exercise these rights.
One way to allow easy access is to add a link or button in the footer of all your web pages, or by providing a page with more detailed information on how users can have access to, and manage, their data.
A small, hovering and permanently visible icon (in the right image above), or a link placed on a visible and standardised place, will allow users easy access to withdraw their consent at any time.
2. Delayed response to access and erasure requests
The complainant alleged that holiday/accommodation website Airbnb failed to comply with an erasure request and a subsequent access request they had submitted to it within the statutory timeframe.
In addition, the complainant stated that when they submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document, which they had not previously provided to Airbnb.
The DPC found that Airbnb’s requirement that the complainant verify their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of data minimisation of GDPR.
The DPC also found that Airbnb infringed GDPR because it failed to provide the complainant with information on the action taken on their request within one month of the receipt of the access request.
Things to watch for
Your privacy policy must be clear, easy to understand, and easily accessible via a link on every page of your website.
The primary purpose of a privacy policy is to inform your site’s visitors about how you collect, use, store, and disclose their personal data. It should also explain the user’s rights and your obligations to them.
Some of these rights include the right to access their personal data and the right to request the erasure of their data. Website owners must provide the info within the timeframe, and to ensure they can do that, they should ensure that their systems (including their website) allow a speedy and easy way to either provide the information requested and/or its erasure.
Your website needs to be able to support you in meeting your obligations, not be a hindrance that could cause delays.
3. Data breach
One of the cases handled by the DPA in 2022 involved a Hospice Care Centre (data controller) that hadn’t yet introduced multi-factor authentication to all accounts, as recommended by its IT provider.
Unfortunately a user’s credentials were compromised as a result of a brute force attack, and may have been prevented had the controller introduced multi-factor authentication as recommended at the time of an audit done by the IT provider.
Things to watch for
Anthony Lindsay, Director of Managed Services, examined what is involved in securing the data you collect. In practice, this means ensuring your web application and systems are secure.
Here are a few things you can do to secure your website and keep user data protected:
- Ensure that both server and application software are up to date with the latest security releases and are properly configured
- Ensure that only people who should have access to the data have access to it
- The data must be inaccessible to robots and crawlers
- Do not collect, use or store more personal data than what is necessary, and remove it as soon as you can.
Anthony has written a series of blogs on website security
4. Unsolicited email marketing
The DPC received complaints regarding unsolicited marketing emails received from Guerin Media Limited.
Guerin Media told the DPC that due to human error and the fact that their details remained on a Gmail contact list, two individuals were sent marketing emails that should not have been sent to them.
The company pleaded guilty to three charges under Regulation 13(1) of the ePrivacy Regulations. The Naas District Court convicted Guerin Media Limited on all three charges and handed down fines totalling €6,000.
Things to watch for
If you use email marketing services to send out newsletters or for any communication, you need permission from your users to send the emails.
A method such as a “double opt-in” will require users to verify their email address after submitting them. Any 'tick to join our mailing list' type checkboxes on forms should be unchecked by default – users have to opt in, rather than opt out.
And on that note, users should be able to easily opt out of emails at any time. An unsubscribe link found in the emails should take them to a page where they can unsubscribe without any difficulty.
Other things worth noting
Cookie banners
If your website uses cookies (read this blog for more information), then you should use a compliant cookie banner to ensure you get consent from users to store cookies on their devices.
The banner informs visitors about how the website uses cookies and what information they store. It also informs them about their right to refuse the storage of cookies.
It is important that you do not load cookies without users’ explicit consent (opt-in).
In addition, the user should easily be able to recall the banner if they decide to withdraw or change consent status.
Forms
Forms are where your site becomes interactive. Forms allow users to enter information for processing and data submission for purchases, search, subscription and more.
Unfortunately, they present a juicy target for bad actors and bots. This is a great blog about keeping your forms secure. Generally speaking, if your website has any kind of forms – such as enquiry, contact or subscriptions – that collect personal data, you must:
- Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them
- Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.
- Preferably, add a link to the Privacy Policy for further information.
Another note on forms:
Another area where data can creep in unnoticed is in “free-form” text fields. These are usually longer text fields tagged onto the end of your form. You potentially have GDPR responsibility in relation to this personal data.
Want to know more?
Your data is your responsibility. This blog looks at some things that you should be aware of to make sure your handling of data is fully compliant.
The year ahead
Helen Dixon, Commissioner for Data Protection, noted in her foreword to the DPC’s annual report for 2022, that it was a year in which “the conclusion of comprehensive DPC enforcement action brought clarity to the application and enforcement of many novel and complex issues under GDPR”.
“Our work in 2023 is set to continue this trend as we seek to pursue the issues of greatest consequence for data subjects, drive compliance, and, most importantly, safeguard individuals’ rights,” she wrote.
Because many Big Tech firms are headquartered in Ireland, it falls to the DPC to be the EU authority over companies such as Google, Meta, Apple, TikTok and Microsoft.
The Irish Council for Civil Liberties has been monitoring Europe’s data protection authorities. A recent report from the ICCL, “5 years: GDPR’s crisis point”, shows that almost five years after GDPR was introduced, there has been “little substantial enforcement in EU-level cases”.
And the Irish Commission has been called out for being too lenient – 75% of its GDPR investigation decisions in EU cases were overruled by majority vote of its European counterparts at the European Data Protection Board (EDPB), who demand tougher enforcement action.
Just this week, the Irish regulator fined Meta a record €1.2 billion for violating European privacy laws. It is the largest EU privacy fine that has been imposed – the previous record penalty was €746 million handed to Amazon in 2021. But this fine was essentially a “do over”.
In its original Meta ruling, the DPC didn’t recommend a fine. Its fellow European data watchdogs disagreed with the decision and ultimately the EDPB ordered that a fine be imposed.
Helen Dixon wrote in the annual report that the DPC was willing to use “other potentially more significant corrective powers, such as orders, to bring about improvements in corporate behaviour and avoid further transgressions”.
As Ireland continues to tackle EU cross-border investigation decisions, it will be interesting to see whether the Irish DPC continues to choose “amicable resolution” to conclude the complaints it receives or if it will take a tougher stance against those who continue to fall short of GDPR’s standards.
Need a GDPR audit done on your site?
We offer a comprehensive GDPR audit service to ensure your website is compliant. We will thoroughly review your website, identify gaps and provide a report detailing what data is being processed, how it is collected and accessed, and what data is stored on your site.
Alison Visser Head of Content
After more than two decades in journalism, Alison now collaborates with Annertech's clients to ensure that their content is the best it possibly can be.