Cordery’s Jonathan Armstrong reflects on the first two years of the EU General Data Protection Regulation
I can remember when my eldest daughter started walking. The joy of seeing her take her first steps and becoming independent, and then, at about two years old, the horror. Knowing that her steps were uncertain and that you were no longer in total control. This analogy brings me to GDPR: we’re now at the stage where we know some of the wild predictions aren’t true.
Some of the experts who said things like ‘GDPR won’t be enforced,’ ‘regulators don’t have the resources to take cases,’ ‘this is just like the Millennium Bug all over again’ are surprisingly quiet. However, as is true for so much in life these days, we don’t yet know what the new normal is. So, what threads can we pull together from the first two years of GDPR?
GDPR is Being Enforced
GDPR is certainly being enforced. It’s hard to get exact numbers on enforcement activity and some data protection authorities (DPAs) are more transparent than others, but our work at Cordery tells us there’s likely more than 5000 enforcement actions to date across the EU. DPAs are broadly in two camps when it comes to the enforcement – some DPAs (like Spain) are doing a high volume of low fine cases and some (like the UK) seem to be concentrating on a low volume of high fine cases. Just a few DPAs haven’t issued any fines that are public yet (at the time of writing) – with Ireland being the most obvious example.
This also illustrates another fundamental point: the attempt to harmonize data protection law and enforcement across the EU just hasn’t worked. Some of us called this out as a pipe dream from the start, but it’s clear that different DPAs react differently to breaches of GDPR and they generally reflect the mood of the country they represent rather than a harmonized view across the EU. This poses extra challenges for businesses, particularly with issues like COVID-19, where different regulators have issued different (and sometimes conflicting) advice.
There’s possibly another explanation for some of this. Big fines are more likely to be appealed. DPAs need to be sure they’re on solid ground. It’s important to remember too that big cases take time – we’ve seen that with some pre-GDPR cases like DSG and Cathay Pacific being concluded in 2020. There will be more cases and we know that some big ones are under investigation.
"The attempt to harmonize data protection law and enforcement across the EU just hasn’t worked"
Data Security is Important
Many (but not all) of the cases have focused on data security. Under GDPR, organizations have to put in place adequate technical and organizational measures to make sure that personal data is protected. Some of the cases involve data being sent to the wrong people, whilst others relate to ‘failure to prevent’ cases – for example, not stopping an attack taking place on an organization’s systems. It’s clear too that DPAs are becoming more sophisticated and looking at patching and the steps needed to stop breaches happening.
The cases have also shown us that it’s not necessary to prove loss for a DPA to take action. In the 1&1 case in Germany, for example, the DPA levied a large fine (€9.55m) even though there was no evidence that anyone had suffered through the failure of the company’s authentication procedures.
However, other issues, such as transparency, are important too. For example, one of the largest GDPR fines to date came from the Italian DPA against TIM in February. Its fine of €27.8m had some data security elements (such as not having a data breach plan in place) but other aspects like the lack of transparency pushed the fine up.
Senior Management Involvement
Data breaches are a when, not if, and we saw when the notices of intent became public in the British Airways and Marriott cases how quickly the board needs to get involved. In these turbulent times, when share prices are volatile, organizations will need to make sure they have a proper plan to try and preserve investor confidence. Regulators also expect the board to be involved in infosec matters too – for example, the UK Information Commissioner, Elizabeth Denham, said in one pre-GDPR case:
“Multinational data companies…must understand what personal data they hold and take robust steps to protect it. Their boards need to ensure that internal controls and systems work effectively to meet legal requirements and customers’ expectations.”
It’s even more essential that the board gets involved in security post-GDPR since the consequences are so much greater.
"It’s even more essential that the board gets involved in security post-GDPR since the consequences are so much greater"
DPIA Everything
Most organizations have now trained people on the Data Protection Impact Assessment (DPIA) process. Done properly, it’s a good way of looking at data security and other business risks in a holistic manner. Increasingly, we’re seeing regulators ask to see DPIAs – mostly famously in the ‘dawn raid’ on Facebook’s premises in Ireland in February.
The DPIA isn’t the sole responsibility of the infosec team – it needs proper business buy-in and should be led by the process owner. Most new projects will require a DPIA and some old ones will too. It’s a process DPAs are likely to put even more focus on over the next 12 months.
Its Not Just Fines
Inevitably, most people focus in on the fines in GDPR cases, but as singer Jessie J once said, “it’s not all about the money, money, money.” DPAs have shown that they’re prepared to use their full armory – for example, ordering that databases are destroyed (as in the HMRC case in the UK) or making sure that data isn’t transferred. Also, its not a case of either/or – in the Doorstep Dispensaree case, the ICO ordered the company to put in place a list of remedial measures as well as paying a monetary penalty. Similarly in the TIM case, the Italian DPA required 20 corrective measures in addition to the fine.
Data Subject Rights
We’re still seeing a large number of data subject requests (DSRs) come across our clients’ desks and some especially challenging subject access requests from employees and aggrieved customers in particular. Awareness of the ability to make a subject access request is on the up, even if some people are mistaken about what they can ask for. The situation is compounded by a number of apps and third party providers offering to make DSRs on an individual’s behalf. These DSRs can look a bit like a DDoS attack and are often made by third parties with only a vague understanding of GDPR and its application.
Organizations do need to treat DSRs properly and deal with regulators appropriately when they seek to enforce the law on behalf of data subjects. However, they also need a strategy to deal with third party requests in particular, which seem to be designed to cause the company harm or make money for the third party.
What’s Ahead?
The next 12 months will likely see more of the same. We’ll have more news on data transfer and class actions after a data breach. There will be challenges with Brexit and the issues around unlawful data sharing and poor data security in response to the COVID-19 crisis. DPAs will have some sympathy with people who did a ‘bad’ thing when trying to do a ‘good thing’ but we won’t see the enforcement agenda stop any time soon. Now the toddler can walk, it won’t be long before it will run!