The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and, the newly established European Data Protection Board reports that almost 450 cross-border cases around Europe have been registered. The data protection authorities from 11 countries have so far imposed administrative fines of € 55 million in total. Although most of this came from the € 50 million fine on Google by the French data protection authority CNIL in January this year. The announcement on 8 July by the British Information Commission Office, however, that it intends to fine British Airways £183.39 (€ 205m) following a cyber breach in September 2018 confirms that, as predicted, national authorities are now intensifying their supervisory action.

Nearly all Member States have adapted their national laws to meet the requirements of the EU regulation. Greece, Portugal and Slovenia are still lagging behind but are expected to adopt their national data protection legislation this year. An assessment of the application of GDPR rules by local data protection authorities will take place by May 2020, notably to check if Member States have imposed additional conditions for data processing that goes further than what the GDPR actually requires – or so-called gold plating.

FERMA is currently working on a project with the European Association of Internal Auditors (ECIIA) to evaluate the impacts of GDPR on both professions. The objective is to understand to what extent the risk management and internal audit functions are involved in GDPR and to provide information about its implementation to the European institutions. The results of the project will be presented during the fourth quarter of 2019.

Knowledge of GDPR is quite widespread. More than two-thirds of Europeans have heard of GDPR and a majority have heard of most of the rights it guarantees, according to the results of a special Eurobarometer survey on data protection published by the European Commission to mark the first anniversary of the GDPR in May.

The survey shows that: 65% of Europeans have heard of the right to access their data; 61% about the right to correct their data if it is wrong; 59% about the right to object to receiving direct marketing and 57% about the right to have their data deleted and forgotten. Still, 62% of respondents are concerned that they do not have complete control over the personal data provided online. One of the reasons highlighted is privacy statements that “are too long or too difficult to understand, said Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality.