May 25 marks the third anniversary of what is arguably one of the most contentious laws of our time – the GDPR. The General Data Protection Regulation, or the GDPR, was introduced to enhance the protection granted over individuals’ personal data.
At the time of its implementation, GDPR was hailed as a transformative piece of legislation which will allow individuals (or data subjects as they are more commonly referred to) greater control over their personal data. In fact, its provisions are geared towards the achievement of that aim – data subjects must constantly be informed of their rights, controllers of data must implement appropriate technical and organisational security measures to protect all personal data that they use, whilst hefty penalties apply if there is a breach of law.
That said, we are now three years into the GDPR’s implementation and it is clear that two schools of thought are emerging at a local level. On the one hand, there are those entities that have used these last three years to perfect their data protection compliance. Typically, these are data controllers that are already subject to heavy onerous regulatory compliance and which have come to understand the importance surrounding the protection of personal data due to the large amounts of data hosted on their systems.
On the other hand, some entities retain the view that GDPR is an overly tedious, complicated and paper heavy law. Such entities prefer taking a ‘wait-and-see’ approach and run the unwarranted risk of not implementing data protection measures.
Locally, the Information and Data Protection Commissioner has utilised the past three years to provide further oversight and assistance to anyone seeking GDPR compliance. As of 2021, enforcement actions taken by the commissioner in respect of various infringements of the GDPR are available online and it is clear that the commissioner is taking a stronger stance when it comes to its enforcement measures.
Some entities retain the view that GDPR is an overly tedious, complicated and paper heavy law
According to publicly available information, the commissioner issued 11 administrative fines in 2020 alone, the highest of which was a fine of €20,000 in respect of a data subject complaint. These measures seem to indicate that the commissioner is ready to take action now that companies have had three years in which to render themselves GDPR compliant.
The last three years have indeed been challenging to businesses seeking GDPR compliance. In the past year alone, the COVID-19 pandemic resulted in an unprecedented amount of sensitive personal data, mostly health data, being collected by most (if not all) companies in Malta, possibly without such companies having implemented the required policies and procedures.
Brexit also required data processing entities to question how they are sharing personal data with companies located in the UK. The invalidation of the Privacy Shield as a result of the Schrems II judgment before the Court of Justice of the EU brought further chaos, with companies now having to undertake transfer impact assessments when transferring personal data to the US, along with the execution of standard contractual clauses, which themselves are in the process of being refreshed.
On a brighter note, in the past three years, data protection authorities published numerous guidelines, regulations and decisions that will assist companies in their compliance exercises going forward. These guidelines have provided companies with information on a vast array of topics, ranging from virtual voice assistants, the interplay between the PSD II and the GDPR, as well as detailed guidance on the principles of data protection by design and by default.
Local non-profit organisations, including the Malta IT Law Association and the European Association for Data Protection Professionals, have also been key in educating companies with their compliance exercises through organised webinars on the subject. It is hoped that the continuous filling of this pool of knowledge will better educate businesses and data subjects on their respective obligations and rights under the GDPR, allowing Malta to be one of the most well-respected jurisdictions for data protection compliance.
Going forward, we expect to see even greater awareness being drawn towards data subjects’ privacy, especially due to innovative technologies and more sophisticated ways in which personal data is processed. One such example is the processing of personal data using artificial intelligence instead of the legacy systems that are currently in place.
Companies and data subjects must brace themselves for the inevitable illegal uses of personal data such as through hacking, further interference and hijacking of personal data. Controllers of personal data are, now more than ever, encouraged to familiarise themselves with GDPR compliance measures to avoid substantial penalties that can apply as a result.
This article forms part of Camilleri Preziosi’s ‘GDPR ‒ Looking Ahead’ series, in which members of the firm’s data protection team explore and evaluate the emerging trends in the sphere of data protection.
A webinar on GDPR is also being organised by MITLA. For more information go to: https://www.mitla.org.mt/consent-management-webinar/