First GDPR Enforcement Notice, as Firms also Struggle with Subject Access Requests

First GDPR Enforcement Notice, as Firms also Struggle with Subject Access Requests


On the 25th of May 2018, the General Data Protection Regulation (GDPR) came into effect, bringing sweeping reforms on how organisations handle personal data and manage communications. In the build up to the introduction of GDPR, many of the headlines about it related to the financial penalties that could potentially be levied against non-compliant organisations.

Under GDPR, the maximum fines for non-compliance are up to four percent of global turnover, or €20,000,000 (whichever is greater). At the end of September, AggregateIQ – a Canadian political consultancy and technology company – became the first company to be issued with a GDPR enforcement notice, by the Information Commissioner's Office (ICO) for GDPR non-compliance. Since then, Facebook has also been linked with potential fines, following a breach that exposed user data.

Although these fines will act as a stark reminder for firms to ensure that they are doing all they can to comply with the new regulation, the mere link to punitive action as a result of non-compliance can be very damaging to brand equity and corporate reputation. Perhaps more significantly, however, is the risk to trust in your organisation by customers, suppliers and other stakeholders.

Abuses and breaches aside, recent research has shown that there are some aspects of compliance with GDPR that organisations are struggling with. One such aspect is Article 15, relating to managing requests from customers and other stakeholders about the data that is held on them. Anyone is entitled to issue such requests, which can include confirmation that data is being held on them and being processed, access to the personal data held on them, and other associated information.

Companies that process personal data of any sort need to be aware of how the regulation addresses them directly and the obligations it imposes. For practical tips on meeting the requirements of GDPR, Neopost has produced the ‘Guide to Managing GDPR’ which can be downloaded here. It focuses in detail on compliant communications and managing access requests, so if your organisation has any issues around aspects like Article 15, it may be particularly helpful.

Download our free guide to managing GDPR HERE.

Add new comment