Many companies expected (or perhaps more appropriately hoped!) that regulatory enforcement of the GDPR would be slow in coming and a de facto grace period might take hold for the first couple of years. Unfortunately, that is not what has happened.
BCLP’s Global Data Privacy and Security Team began defending regulatory inquiries and investigations before most post-GDPR compliance date parties had ended. In addition, we have been monitoring enforcement actions across the EU Member States for trends and interpretations.
An interesting data point comes from Portugal’s supervisory authority - the Comissao Nacional de Proteccao de Dados (“CNPD”). The CNPD’s first public enforcement action invoked the administrative penalty provision in the GDPR to fine a hospital 400,000 Euro for its failure to have well documented access controls surrounding patient data, such as written provisioning and de-provisioning policies. In terms of take-aways, the amount of the penalty indicates that regulators are not being shy at invoking significant penalties even when an apparent violation does not appear to have led to quantifiable consumer harm.
Our colleagues at Cuatrecasas in Portugal published a concise description of the case that is worth a read.