Accountability and Enforcement Aspects of the EU General Data Protection Regulation: Methodology for the Creation of an Effective Compliance Framework and a Review of Recent Case Law

The General Data Protection Regulation (GDPR), which has been applicable within the EU/EEA since 18 May 2018, has brought about reinforced rules on personal data protection which have dramatically shifted the paradigm for all organisations bound by them. This includes not just those which actively handle personal data as a core part of their business model, but also those which are required to handle personal data (on employees, customers or suppliers, for example) as part of their day-to-day activities – in other words, all organisations falling under the GDPR’s scope. By holding organisations responsibile for their own compliance, and requiring those organisations to carefully assess the risks to the rights, freedoms, and legitimate interests of individuals when implementing measures to address these rules, the GDPR demands a higher level of accountability from all organisations concerned – the ability to not only comply with the rules, but to also demonstrate that compliance has been achieved. To help organisations understand how they can address the practical implications brought about by the GDPR, this article seeks to break down a proposed Data Protection Compliance Framework – six overarching steps which, if correctly and comprehensively implemented by those organisations, will allow them to make the necessary adjustments to their internal practices to align with the GDPR’s requirements. To highlight the importance of implementing such a Framework, the article also explores the different types of powers granted to supervisory authorities in order to enforce the Regulation, and includes a selection of relevant supervisory authority decisions to allow insight into common types of GDPR breaches, and common enforcement responses (including fines) taken by those authorities.