1 year of gdpr: this is what did and didn't happen

GDPR & Cybersecurity
16 May 2019

by Evelien Callewaert

1 year of GDPR: this is what did and didn't happen

On the 25th of May it will be one year to the day since the dreaded GDPR legislation took effect. The panic that took hold last year is nowhere to be seen today. So has nothing actually happened over the past year?

1 year of GDPR: this is what did and didn't happen

The GDPR - the General Data Protection Regulation - began with an intensive preparatory phase. A great deal therefore had to be done in anticipation of the GDPR and if we had believed everything we heard, today every company would already have received fines. However, one year later there is little evidence of that.

The impact is therefore limited and the Data Protection Authority - the DPA - has played a major part in that. The DPA superseded the Privacy Commission and was immediately given increased powers, including enforcement of the GDPR rules. However, for the first eleven months, the GBA had little clout. At the end of April 2019, a new executive committee was appointed and that finally promises to bring about a change.

Chair of the DPA, David Stevens stated in an interview that “the era of sit back and relax when it comes to the GDPR is over”. Exactly how that will work is as yet unknown, but if we follow the lead of our northern and southern neighbours, we will be better prepared.

Neighbouring countries

The Netherlands immediately started to carry out specific checks in June 2018. Checks were performed in around 400 government agencies to establish whether a Data Protection Officer (DPO) had been appointed. Formal warnings were immediately issued to agencies that hadn't yet appointed a DPO. In the private sector, random checks took place to see whether a Record of Processing Activities was available, which is mandatory for (almost) every company and companies were also asked to produce a Data Processing Agreement.

France also actively monitored compliance from the very start; therefore, over the past year, the country has simply intensified its focus. In 2018, France carried out more than 300 inspections at a range of companies. Those inspections not only took place on-site, but also online. For example, websites were checked to see whether adequate security measures had been taken and whether the information obligation had been met. French companies are therefore not always aware beforehand that they will be inspected.


Eleven member states have now issued fines and the largest of those was imposed by France. France's data regulator actually issued Google with a €50 million fine. But Uber was also fined in France, the Netherlands and in the United Kingdom for not reporting data breaches.

But it was not only the ‘big names’ that received fines. For example, the DPA fined Dutch bank InsingerGilissen €48,000 for failing to provide a customer with information upon request. The Optical Center in France was also fined €250.000 for failing to secure the data of customers who placed orders through its webshop. Other fines were imposed for the use of personal data for something other than the intended purpose, or for the use of fingerprints without consent. A fine was imposed on a hospital in Portugal because physicians had unrestricted access to all medical files stored by the hospital.

It is clear that supervisory authorities therefore do not hesitate to fine companies. It is also evident that hacks and data breaches do not necessarily have to be huge for fines to be issued. Therefore, neither the sector nor the status of the company play a role.

What now?

Because the DPA only recently underwent a reform, it remains to be seen which specific focus areas will be on the agenda. We should, however, anticipate that the focus will be similar to that in neighbouring countries.

In the year ahead, the Dutch Data Protection Authority (DPA) will concentrate on government bodies and, specifically, on the exchange of personal data both with and by these bodies. There will also be a sharpened focus on data security at healthcare institutions and their legal bases for processing personal data. Finally, the DPA will also concentrate on unreported data breaches and data breaches that are caused by, for example, a shortfall in protection.

Any companies that failed to do so last year really must now make headway with GDPR policies and just one important aspect of this is to create a record of processing activities. It is also advisable to look closely at the protection of processed personal data. 

Do you require assistance? Please do not hesitate to contact our GDPR specialists at cyber@vdl.be. They will be more than happy to take a look at what progress you have made and whether any refinements are needed.