Part 2: GDPR Fines Swell in Volume & Value – How To Avoid Getting Stung!
The Takeaways
Applying insights gained from analyzing the fines, coupled with a desire to escape a boatload of headaches, fines, legal fees and impacts to your business has plenty of advantages. Here’s how to avoid your organization from getting bit:
- Create a data protection culture by providing hands-on privacy programs and updates to help keep data protection front of mind. Relevant and interesting newsflashes will reduce exposure leading to violations and sizeable fines. Be sure to keep individual training records to help demonstrate compliance with a DPA if the need arises.
- Consent, consent, consent! Understand when explicit consent (freely given, specific, informed and unambiguous) is required i.e. email marketing, profiling, health data, etc. and how to obtain it. Use layered notices and ensure it’s easy for your audience to understand using concise, intelligible, clear and plain language.
- Implement appropriate technology and systems to keep personal data secure and confidential with the capabilities to support Right of Access (Article 15) requests within one month upon receiving the request, which can be extended by two further months if the ask is complex. Not only will you have to provide any personal data, you’ll also need to provide the why and how their data is processed including:
- any recipients their data has been shared with
- envisaged storage period and
- use in automated decision-making including the logic and consequences (Article 22)
- Build in appropriate methods and processes to ensure when consent is withdrawn, the right to opt out, the deletion is complete. Otherwise, it might be wise to suppress the persons details and use it as a cross-reference to cleanse other internal records until all lists are clean and be sure to incorporate a cleansing procedure in any system backup and recovery processes. If the data has been shared, you’ll also need effective methods to notify third-parties that the person has exercised their right to be forgotten.
- Data Breaches are more than just large-scale hacks, they include the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 32). Minimize the impact of a breach by adhering to data minimisation and utilizing encryption and pseudonymisation techniques (Article 25). Pseudonymisation is where direct identifiers are replaced by a key i.e. John Henry à ID #123 and the database is stored separately from the data so if a breach occurs, it cannot be used to link the key to an individual (or if possible, simply anonymize the data completely so it’s no longer considered personal data). Also, be sure that any personal devices have the appropriate safeguards.
- Where sensitive employee data is collected (ethnic origin, political opinions, religious, philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life) or monitored it needs to comply with local laws. To complicate matters, explicit consent may be invalid in an employee – employer relationship. When combined with other data protection principles (the right to be forgotten, transparency, proportionality, necessity, right of access) it can become downright tricky – human resources needs to keep data for labour, tax and other related legislation while still adhering to data minimisation principles. Also, be sure to inform employees of any monitoring that will be carried out including email (including virus scans), internet usage, metadata and video surveillance.
- Controllers vs Processors – Don’t just assume once a processor, always a processor. Familiarize yourself on how a processor can easily become a controller who is responsible to ensure adequate data protection along with any related responsibilities and fines. Controllers must demonstrate compliance with the six principles relating to processing personal data as per Article 5(1): lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation along with integrity and confidentiality.
- Data transfers are tricky! Personal data transfers are one of the most notable GDPR principles as highlighted previously, with over €164 million in fines. If data is being transferred between EU countries no additional steps are required. However, transfers to a country outside of the EU must provide an ‘adequate’ level of protection. Currently, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay are recognized for meeting adequacy standards but best to keep an eye out for updates here. The US had a separate, Privacy Shield program but was declared invalid on July 16, 2020 resulting in any data transfers having to meet the third country adequacy protections(2). If the transfer is to a third country or an international organization then it needs to provide ‘appropriate safeguards’ (Article 46) ensuring data subject rights and legal remedies are available. Other mechanisms to meet the appropriate data transfer safeguards include:
- Binding corporate rules (Article 47)
- Legally binding and enforceable instrument between public authorities or bodies
- Standard data protection clauses adopted by the Common or a supervisory authority (Article 93)
- Approved code of conduct (Article 40) or certification mechanism (Article 42) with binding and enforceable commitments with the controller/processor in the third country
If the data transfer does not meet one of the mechanisms, then authorisation from a supervisory authority will be required unless the data transfer is covered under one of the derogations (explicit consent from individuals, contract performance, substantial public interest, legal claims, vital interests, public registers, not repetitive transfers).
The benefits of abiding by the GDPR regulation clearly outweigh the costs. Sound data protection policies and processes will reduce your business risk while keeping your company’s financials free of fines and other related expenses. It is also an opportunity to provide customers with confidence that your organization is a worthy custodian of their data and consent to additional purposes that help support the development of new products and services. Plus, people are more likely to happily subscribe to communications from companies they love and want to hear from.