11 Oct 2022

Who is Responsible for Enforcing GDPR? And Does More Need to be Done?

Baroness Beeban Kidron – founder of 5Rights Foundation, a charity focused on improving online safety and privacy for children – has a radical suggestion for improving online data privacy, and it’s not what you might think; in fact it already exists and has done since 2018.

‘GDPR is quite brilliant’, she states. ‘It’s not perfect – but the real issue is how poorly it has been enforced. I think it if it was radically enforced, a lot of the subsequent regulation would not be necessary.  This is a sector built on the sharing and processing of data. So data privacy should get us 80% of the way there’.

She adds that newer bills and measures could even be avoided if those responsible for enforcing GDPR were to take a tougher line with the data protection law we have.

‘We’re now getting very heavy handed and prescriptive bills – DSA, Online Safety and so on – when actually a really robust interpretation of GDPR or the Age Appropriate Design Code would have gone a lot further’.

What is GDPR?

GDPR – or General Data Protection Regulation – was drafted and created by the European Union and has been law since 2018. It threatens hefty fines for any company found in breach of it and compromising the privacy and security of users.

‘From May 2018 if you didn’t put in place the proper compliance you could be exposed to the fines. And the fines are 4% of your global revenue or 20 million Euros – whichever was higher. And that’s why it caught people’s attention!’ explains Nial Ferguson, Managing Director of Sourcepoint in the UK.

Four years on, a mere 1100 fines have been handed out for breaches; an astonishingly low number. Either there are very few breaches (unlikely, given it is surprisingly easy to breach GDPR by accident), or something is not working.

But who is responsible for enforcing GDPR? This varies from country to country. The policing of GDPR falls to local Data Protection Authorities (DPAs). In the UK it’s the Information Commissioner’s Office (ICO) but the people in charge vary from country to country – as well as how doggedly they enforce GDPR.

‘Some DPAs are more active than others’ notes Ferguson, ‘Spain has issued the most fines – whereas Luxembourg has issued the highest value fines, having fined Amazon’. 

Resourcing issues

The challenge, it seems, lies not so much with the nature of the regulation – but rather the manpower countries are prepared to put behind its enforcement.

‘There haven’t been as many fines as we would have expected’, agrees Ferguson. ‘There’s only a certain number of people working at the DPAs – there’s only so much they can do. So they’ve gone after the big fish – the Googles and the Amazons and the WhatsApps. Obviously, it’s much better now people are being asked to consent – but it’s not perfect. I think we still have a long way to go until we can be confident that our data is being processed and used in a way we expect it to be’.

Kidron points to a lack of political will to get things done.

‘First you need the law and the powers. Then you need the resources. But you still need the political will. The challenge the police have with tackling cyber crime is only partly to do with skills and resources – it’s a lot to do with what they are hearing is important. And They’re not hearing that cyber crime is important – we’re being really slow despite the fact we all know someone who has been scammed. I think over the years it will be in the same way we now take cyber warfare or state action much more seriously’.

Fundamentally, she says, we need more will on all sides to protect online privacy.

‘I’m very disappointed by the political will to actually enforce [GDPR]’ she says – before adding ‘But not half as much as I am the tech companies putting their hands in their pockets to resist enforcement instead of complying’.

Her final warning is reputational.

‘I think there’s a reputational and political hazard in passing laws that you don’t apply seriously, resource properly or see the results of’.