A little more than six months after that day in May when privacy policy updates flooded our inboxes and the GDPR came into force, a new study of small business owners in the UK has found that many people and businesses remain essentially “clueless” about the law and its requirements. Commissioned by Aon, the study found that nearly half of the 1,000 small business owners polled are confused about the privacy and security requirements of the law, which could lead many businesses to be in breach of the GDPR without even realizing it. Some examples of potential violations reported by the businesses included paper visitor books logging all visitors to the business and viewable to subsequent visitors, training materials featuring full details of real-life case studies, the use of personal devices by employees for work purposes, and inadequate storage and disposal of paper records. The study also found that business owners were not clear on what constitutes a data breach – thinking the term did not apply to paper records or personal data that was mistakenly posted or sent to the wrong person by email or fax – nor were they clear on the notification requirements, either to the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), or to affected individuals. These small business owners should avail themselves of the ICO’s recent insight into its GDPR enforcement approach from earlier this month, which indicates that ignorant non-compliance likely won’t be looked at favorably.

On December 4, the UK Information Commissioner Elizabeth Denham gave a speech to the International Privacy Forum, wherein she stated that she and other EU regulators will prioritize their GDPR enforcement actions towards bad actors that pose a threat to EU residents, not companies that are doing their best to comply. She said that those companies cooperating with regulators and aiming for compliance are more likely to be confronted by the ICO’s advisory role than its fines and penalties role. In addition, she stated that complaints from the public have increased since the GDPR came into force, with the ICO receiving 19,000 in the past six months, 10,000 more than the previous six month period. Along with public complaints, the ICO has also unsurprisingly received more breach reports, totaling over 8,000. The ICO is not the only body that has recently opined on the GDPR, with the European Data Protection Board (“EDPB”) releasing draft guidelines on GDPR’s territorial scope last month. The EDPB confirmed and refined several of the GDPR’s recitals concerning what it means to be “established” in the EU, the “targeting” of data subjects in the EU by controllers and processors not established in the EU, and the meaning of “monitoring” and the extent to which certain collection or analysis of personal data constitutes “monitoring” of data subjects in the EU. It also confirmed that a data subject is only in the EU if it is in the EU at the moment that an offer of goods or services is made to him or her by a controller not established in the EU. This should be welcome news for all controllers not established in the EU that routinely process the personal data of EU citizens that are not themselves located in the EU, from employees to visitors.

One major internet and technology company recently re-assessed its own territorial scope, with Google announcing this week that it is moving the control of EU data from its American arm to its Irish arm to aid its GDPR compliance. In so doing, it is availing itself of the GDPR’s “one-stop-shop” provision that allows data controllers operating in multiple EU member states to select a lead supervisory authority to coordinate and cooperate with, rather than interacting with each EU member state’s authority on a piecemeal basis. Google also said in a blog post that it is making the change “to facilitate engagement with EU data protection authorities,” likely hoping its increased engagement will put it in the cooperative and compliant camp when dealing with data protection authorities across the EU.

Our take:

Both small business owners and Fortune 25 companies are all still refining their GDPR compliance approach, even now more than six months after the law became effective. While for some small businesses, this may mean learning about what the law is and how it might apply, for bigger companies such as Google, this refinement of its approach to GDPR compliance is likely motivated by an analysis of its compliance efforts from day one to now. For any company, determining whether and how the GDPR’s material and territorial scopes apply, and navigating the many compliance requirements can seem daunting. Luckily for those organizations not established in the EU, however, the EDPB’s recent guidance regarding the GDPR’s territorial scope should help as they work alone or with counsel to determine the best approach to GDPR compliance. Certainly, Google’s recent shift also shows that any company that put its “GDPR Compliance Program” in place on May 25, 2018 and hasn’t touched it since should likely take it off the shelf for review.