article banner

The General Data Protection Regulation – 12 months later

Although it is cold as I am writing this, spring is here and summer is right around the corner. A number of important events have taken place – the wildly popular Game of Thrones wrapped up its last season and the GDPR celebrated first birthday. What is the temperature like in Estonia in the field of personal data protection – lukewarm, ice-cold or smoking hot?

It would be fitting to look for the answer in the Data Protection Inspectorate’s yearbook for 2018[1]. My article is based specifically on this publication.

The yearbook gives an overview of the most important circumstances related to enforcement and implementation of the laws and procedural practice. In the introduction, the Data Protection Inspectorate’s acting director general Raavo Palu notes that 2018 was a year of changes in many regards – for Data Protection Inspectorate, personal data processors and data subjects. Data processors have had to invest in their procedures, map their personal data processing procedures and for the first time, some have had to think in structured fashion about the security of personal data processing and the need for data protection. It probably isn’t possible to argue that these changes are unnecessary.

Increasingly today’s society sees personal data as personal property that requires protection and the right to personal data protection is a fundamental right. Grant Thornton Baltic’s personal data protection specialists have advised many clients operating in a variety of industries – from creditors and financial services providers to local governments to manufacturers of physical goods which shows that the companies understand the need to protect personal data and are ready to seek assistance outside their own company.

The Data Protection Inspectorate received a fair share of breach notifications but was overwhelmed by them

When the GDPR entered into force it was presumed that breach notifications – which had now become obligatory – would flood in. Statistics showed that a month before the anniversary of the GDPR entering into force, the Data Protection Inspectorate had received 101 personal data breach notifications from data processors. From May 25th (the date on which the GDPR came into force) to December 31st, 2018 the Data Protection Inspectorate received a total of 64 breach notifications. The reasons for breaches in the Data Protection Inspectorate annual review are given as human error, negligence, ignorance and insufficient data protection measures. Various personal data breaches, mainly related to data leaks, also made the news. We, too, have observed that the breaches are mainly caused by ignorance or negligence. Which is the reason why whenever company’s internal processes are reviewed and changed to add data protection and cybersecurity measures, we advise training the employees in these measures. It is fairly pointless to create and adopt data protection policy and rules in a company and then not to pass it on to the employees by training them.

The Data Protection Inspectorate’s technology director Urmo Parm wrote in the inspectorate’s annual review that last year’s breach notifications caused three misdemeanour proceedings and one administrative supervision proceeding. The breaches happened in the public as well as private sector. Incidents were registered among providers of web services, healthcare services, banking/financial services and transport services. Also, data processors in the communication, production and education sector.

The Data Protection Inspectorate will not become a fine production line

As GDPR introduced huge fines there was fear that companies will get fines from day one. Fining everyone has not turned out to be the case. Moreover in their annual review Data Protection Inspectorate notes: “The question may arise of when the Data Protection Inspectorate will start meting out the giant fines in the GDPR, which in accordance with Estonian law must be applied in the context of misdemeanour proceedings. In this regard, I confirm that the Data Protection Inspectorate will not become a mass issuer of fines. Our pattern of behaviour in the case of breaches has been to give guidance and issue warnings. We use punishment and coercive measures only as a last resort.”

This of course does not rule out fines if the violation is intentional, repeated and significant. Data processors should not assume that the Data Protection Inspectorate will always merely give guidance and cautions. Data processors must treat personal data in a careful and responsible manner out of respect to data subjects, not achieve compliance with the GDPR requirements out of fear of fines and sanctions.

To sum up, we can say that the climate in the first year of the GDPR has not been either hot or ice-cold. It has mostly been lukewarm. Yet on a positive note the companies have understood the need for data protection and are approaching the issues of personal data protection in a more structured manner. One requirement of the GDPR was the appointment of data protection officer (DPO) and we are glad to note that the Data Protection Inspectorate has been notified of the appointment of close to 2,700 data protection specialists.

The Data Protection Inspectorate annual review also includes recommendations for 2019, of which the most important are the following: establish clear, simple and easily understood data-processing rules for both clients and employees; make sure that company employees have been trained and received written instructions and know these rules enabling them to process data in compliance with the GDPR.

Author: Allan Kubu

[1]Available online: