When will the first GDPR enforcement action come down and which industry sector will feel it first? This is one of the lingering questions waiting to be answered since the EU General Data Protection Regulation came into effect May 25.
While a GDPR crystal ball does not exist, the IAPP did a simple investigation that might predict when the first GDPR enforcement actions will be issued.
The IAPP looked at the enforcement actions taken by the Information Commissioner’s Office in the United Kingdom, generally regarded as the most active European regulator and with the largest staff, to see if there were any significant patterns that would give a workable prediction on the timeline for the first GDPR enforcement action.
Out of the most-recent 100 enforcement actions from the ICO, the most prevalent sectors that the ICO regulated were marketing, criminal justice, health, financial services and local government. The most common action types were enforcement notices, monetary penalties, prosecutions and undertakings.
Generally, the ICO actions revealed three important dates:
- When the violation took place by the offender.
- When the ICO was notified or issued a complaint to the offender under investigation.
- When the ICO issued an action against this offender.
After identifying these dates for as many as possible of the 100 ICO actions, the IAPP investigated the number of days elapsed between when the ICO was notified or issued a complaint against the offender and when action was issued against the offender. How long, we wondered, did the average case take from complaint to enforcement?
Of the 100 actions investigated, the smallest number of days elapsed between a complaint and the action was six days. The offender, who was issued a monetary penalty, made unsolicited direct marketing calls to around 70,000 phone numbers.
Conversely, the highest number of days elapsed was 1,064, dealing with a company in the online technology and telecoms sector that did not adequately protect customer personal data on its site.
Going through the 100 ICO actions revealed that, on average, 338 days elapse from the day the ICO issues a complaint to the day it issues the action.
Nonetheless, there are some variations that, if known, could possibly make the prediction clearer.
For one, most of the actions reveal the exact dates that the offending action took place and when the ICO received complaints, but some of the actions lacked the exact date the complaint was issued to the offender.
Next, complaints against individuals, which resulted in prosecution and had relatively small monetary penalties, did not reveal when the offending action took place or when the complaint was issued. While individual offenders may seem insignificant, the ICO does issue a significant amount of actions against individuals.
Finally, in some cases, sectors of interest and importance to the public, such as health, criminal justice and local government, did not always include the date the ICO issued the complaint and, thus, it is difficult to predict when a GDPR enforcement action will be issued in these sectors.
One such reason is that many of the actions taken in the health sector by the ICO were against individuals, which resulted in low monetary penalties and the action report the ICO issued was brief. However, it is likely that the missing date of the complaint is purely coincidental and having a larger sample size would reveal less missing complaint dates. It would be helpful to know if these sectors were above or below the total average of 338 days for all 15 sectors included in the study.
Not all the information from the important sectors were missing, however, as the financial services and marketing sectors did reveal interesting trends.
In the financial services sector, the average time between the date the complaint was issued and the action was more than the total average, coming in at 389 days.
Meanwhile, the marketing sector was below average at only 273 days elapsing between when the complaint was issued and when the action was issued. From this data, it is likely that a complaint from the marketing sector will be one of the first enforcement actions issued under the GDPR.
Thus, assuming that a complaint from the marketing sector came into the ICO’s office on May 25, 2018, we playfully predict the first GDPR enforcement action out of the ICO’s office on February 22, 2019.
photo credit: april-mo Cotton wool clouds in the ball via photopin (license)