In 2018, it was almost impossible not to stumble upon any news stories regarding the newly-effected General Data Protection Regulation (GDPR) and the potential hefty fines that could be issued for its non-compliance. Even if people were unaware of the current affairs, it was unlikely that they avoided the slew of messages and website notifications requesting their consent concerning the use of their personal data.
In short, the GDPR was enacted to protect the fundamental rights of individuals with regards to their personal data protection and privacy. It allows the individual more control over what personal data can be collected and stored, what it can be used for and who it can be shared with.
For companies across Europe, panic ensued a few weeks before the May 2018 deadline, despite the fact that the GDPR had been under discussion for two years. The situation in Cyprus was no different in early 2018, however like in many other European countries interest in the subject slowly dwindled. With only a trickle of fines coming through and a lack of news coverage about enforcement action, the impact of GDPR seemed to have lost its effectiveness.
It has now been a total of 15 months since the GDPR has been in effect across the EU and there have been mixed reactions within the Financial Services Industry. Some firms have embraced the newly introduced information security measures and data processing streamlines, while others failed to prepare, blaming this inadequacy on lack of resources and other distractions attributed to growing changes in their regulatory environment.
A year of fines
According to a survey carried out by DLA Piper, a total of 35 personal data breaches were reported in Cyprus within the first eight months of the GDPR implementation.
The Cypriot Data Protection Commissioner has issued at least two fines so far for 2019, one for €5,000 to a state hospital, after a patient complained to the Commissioner that the request for access to her medical file was not satisfied and a second one for €10,000 to a newspaper for the unlawful disclosure of the names and pictures of two police officers, allegedly involved in the illegal detention of a citizen.
These examples do little to support the notion that the GDPR is something that must be prioritised in the corporate industry. It is supported by many that until more fines are issued, companies and organisations are unlikely to take the consequences of non-compliance into serious consideration and stop believing that the implications of the GDPR and its requirements have been greatly exaggerated. Some firms have opted to do the bare minimum by adding privacy notices on their websites and allowing clients to unsubscribe to email newsletters and company news. However, this is not enough.
What can you do?
With GDPR, firms must be able to comply with requests to remove, correct, share or provide personal data to their data subjects, as well as implement the technical and organisational measures supporting individuals’ data protection rights. They must have policies and security measures in place and promote awareness about data privacy in their firms.
FAI Comply can support your firm’s compliance endeavours with our fully-tailored GDPR Action Plan. Whether your company has already begun implementing measures or not, FAI Comply can provide the essential guidance for compliance with the GDPR data protection principles. You can contact us for more information by emailing info@fai.com.cy or calling us on +357 25933301.
Written by Anastasia Kyriacou Petallidou, Compliance Consultant, FAI Comply