An interesting article by Stephan Grynwajc who writes about the levels of activity the European agencies have been undertaking since it came into force in May last year. It really highlights the work that is being done and the findings that are likely to be coming down the road, even if at first glance there has not been much in the public about enforcement efforts.
Mr. Grynwajc does highlight three themes that can be identified through looking at the actions that have been taken: a lack of transparency, a denial/disregard of user access rights and a failure to safeguard data. From what I am seeing on the technology side, the second two of these are definitely driving client concerns mainly around how to respond to Subject Access Requests ("SAR") and how to respond to an incident (i.e. data breach or loss).
In both these issues, the way data cascades through companies and their systems can cause inherent problems, as many companies do not have adequate control or visibility over the flow of data. This can result in them not knowing where to look or when/if they have an issue.
Companies need to get a grip of their data, and should really be doing this proactively (through process and data maps for example) rather than re-actively when they are subject to either a SAR or a cyber-breach.
This is only going to become more and more relevant and as Mr. Grynwajc states: "As more sanctions are imposed and shared with the global business community, we recommend that our clients...heed the lessons learned, and if necessary, refine their compliance efforts accordingly."
As of February, 2019, nearly 100,000 claims under the GDPR have been lodged with EU national data protection authorities (“DPAs”), many relating to telemarketing and promotional e-mails. Similarly, just over 40,000 data breaches were reported to the DPAs; and 255 investigations into EU cross-border processing activities were initiated, mostly as a result of complaints filed by individuals.