What Your Organization Can Learn From GDPR Enforcement
Since The General Data Protection Regulation (GDPR) became enforceable in 2018, enforcement has ramped up across Europe. Data acquired by Finbold indicates that the cumulative number of GDPR violations has surged 113.5% over the last 12 months between July 2020 and July 2021. The website GDPR Enforcement Tracker – list of GDPR fines has shown that, so far, the European Union’s Data Protection Authorities (DPAs) have administered 730 fines across Europe. Significant fines have been levied against Amazon–where the Luxembourg DPA fined €746 million for “Non-compliance with general data processing principles”–and against WhatsApp Ireland Ltd, which paid €225 million for”Insufficient fulfillment of information obligations .”.
According to GDPR Enforcement Tracker, leading violations include:
”Insufficient legal basis for data processing” with 311 fines generating a total of € 183,227,088.
”Non-compliance with general data processing principles” with 186 fines generating a total of € 784,034,744.
”Insufficient technical and organisational measures to ensure information security” with 184 fines generating a total of € 69,690,519.
These three violations are, by far, the biggest causes of GDPR fines. Here’s what we can learn from the commonalities in these fines:
Insufficient legal basis for data processing:
When we observe the reports of penalties committed for the Data Controllers in this area, we can surmise that the DPAs are working to promote a clear message through their enforcements: “Consumers’ data no longer belong to the companies.”
It’s important that organizations realize that the data they retain must fulfill at least one of the conditions in article 6 of GDPR text (“Lawfulness of Processing”), because with this data privacy regulation, the company cannot regard data belonging to consumers/customers/clients as a company asset.
This violation must be analyzed not just from the standpoint of data collection, but through the lens of data privacy as a dynamic process. Companies must have a legal basis to justify data collection, and data controllers are not allowed to change the legal basis for data collection whenever they want. The legal basis must be a cohesive system able to demonstrate that the organization is compliant with the requirements of GDPR law.
Luckily though, GDPR allows for some flexibility, so long as a legal basis is continually demonstrated. For example, if an organization collects data from an individual and a data subject withdraws their original consent, the organization may still be able to process the data if another option of legal basis motivates it, like “processing is necessary for the performance of a contract to which the data subject is party.”
Non-compliance with general data processing principles:
It’s important that companies establish mature compliance programs regarding data privacy. Employees must be aware of privacy policies and practices and management teams must align with the Board of Directors to set expectations.
DPAs have been emphasizing that data controllers must implement privacy culture inside the organization in alignment with article 5 of GDPR (lawfulness/fairness transparency; purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality; accountability).
The DPAs expect companies to invest in training programs that promote fair processing of personal data, limit the retention/collection of data, and use data only when essential for the company to carry out its business purposes.
Insufficient technical and organizational measures to ensure information security:
The company must understand the profile of data collected and assess potential damage to data owners in the event of a breach.
Article 24 of GDPR states, ”…the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
There is no ”one size fits all” approach for complying with this article. Organizations must continuously assess the risks posed by a potential breach and create safety measures to address these problems, always monitoring the risk and documenting all the solutions found to protect the data (encryption, physical measures, cybersecurity investments, and administrative actions are just some examples of scenarios that should be used to protect data).
If a data controller doesn’t produce satisfactory safeguards to house the personal data, it might be best to not collect data in the first place.
__
Fostering good practices for your company will enhance your company’s performance, boost resilience and build a strong organization. And keeping abreast of DPA enforcement action is a good way to prioritize security efforts. Like the famous European writer Miguel de Cervantes once said: “To be prepared is half of the victory”.
Sources:
Number of GDPR fines surge by 113% in a year despite strict regulations (finbold.com)