Happy 2nd Birthday GDPR!
Written By; Ciara Fitzgerald & Declan Timmons
The GDPR is two years in force on 25th May 2018 and a very happy birthday to it! It’s debatable as to whether it has been as noisy as any other two year old but it certainly has had some impact on businesses.
In the months leading up to the GDPR coming into force, businesses were worried about the potentially heavy GDPR compliance burden, and the level of fines that could be levied.
Mitigating Data Protection Risk under the GDPR and complying with obligations
One of the core data privacy drivers for the introduction of the GDPR on May 25th 2018 was the requirement to encourage organisations to take responsibility for the security of the personal data shared with them in the course of their business activities. This was intended to have a positive effect on data subject’s willingness to embrace the digital economy and drive secure online transactions. This followed a period where huge breaches of personal data were being exposed on almost a daily basis. These data breaches often resulted in considerable risks to the data privacy of the data subjects whose personal data was exposed. It is not entirely clear if this objective has been achieved (or can ever be fully achieved) however businesses have (and are still) taking steps to make sure that they are complying with their GDPR obligations and minimising their risk.
While data protection is not a new concept, pre-GPDR, there were seldom any consequences for organisations who did not comply with their responsibilities under the Data Protection Acts. As most organisations will know, under the GDPR there are a number of sanctions that can be imposed by the DPC including:
• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;
• Ordering the rectification, restriction or erasure of data, and;
• Suspending data transfers to third countries.
However, the sanctions that created the greatest risk for organisations were the significant fines that can be imposed under the GDPR – a maximum of €20 million or 4% of annual global turnover.
All personal data processing activities present an inherent risk to business but there are ways to mitigate that risk. The severity of that risk is heavily dependent on the volume of records involved and the type of personal data processed. This data is processed and stored on various systems. To comply with article 32 of the GDPR, a risk assessment of these systems should include consideration of the data processed or stored on the specific system. The result of this risk assessment will be to implement mitigating controls to reduce these risks. By carrying out this risk assessment, an organisation is demonstrating that it has applied technical and organisational controls that are appropriate to the risk.
The Personal Data Records of Processing activities (ROP) is core to demonstrating an organisations compliance with GDPR. Every business must fully understand and document every business process or activity which generates a personal data record. Without this as a foundation, an organisation’s understanding of the extent of its data processing activities is limited and the controls assigned to protect that data is ad-hoc at best. A business certainly could not trace a specific mitigating control back to an individual personal data processing business activity. Therefore it could not apply controls that are appropriate to the risk.
The ROP should be used as the organisation’s central reference points when dealing with GDPR compliance, understanding the personal data in scope, protecting that personal data, providing evidence for accountability, and ability to demonstrate compliance on an ongoing basis.
In addition to the ROP there are requirements to create and maintain a range of data protection policies and procedures and to ensure all staff are aware of their responsibilities in relation to personal data.
Under the GDPR, a nominated Data Protection Officer (DPO) is required by public bodies and within certain organisations whose core activities involve the large scale processing of personal data. Recently there is a growing trend to outsource DPO responsibility within organisations. Often these organisations find it difficult to attract the required experience across technology, data protection and information security that is vital to delivering effective data protection compliance and mitigating data protection risk.
To date, the fines imposed by the European regulators have not been as headline catching as anticipated. 2019 was really the first year where the international community saw the GDPR enforcement machine churn out fines. In January, Garante (the Italian regulator) imposed a fine of €27.8million on TIM (an Italian telecommunications company) for multiple breaches of the GDPR. This was swiftly followed by CNIL (France’s regulator) imposing the largest GDPR fine to date (€50million) on Google for a lack of transparency and failure to provide users with understandable information on its processing operations and a lack of a legal basis for processing personal data for advertising purposes.
The summer months saw the ICO (the UK regulator) proposing to fine British Airways in the amount of £183.9 million and Marriott International in the amount of £99 million. The ICO has delayed the actual enforcement of both of these fines. The latter part of the year saw Austrian Post being fined €18 million for creating profiles of 3 million citizens documenting their personal preferences, addresses, political interests and other information which it then sold to third parties.
In the latter half of the year, the Berlin Commissioner for Data Protection and Freedom of information fined a real estate company €14.5 million for breaches in respect of data retention and the German Federal Commissioner for Data Protection and Freedom of Information imposed a fine of €9.55million on a Telecoms company for failing to take appropriate technical and organisational measures to protection personal data (anyone could access customer information by calling the helpline and giving the name and date of birth of a customer).
The Data Protection Commission (the DPC) has been the focus of increased scrutiny as the regulator for a significant proportion of the “big tech” companies. There has been some commentary of the lack of fines being issued by the DPC but it has very recently issued its first two fines for breaches of the GDPR – both of them issued to Tusla (the Child and Family Agency). The first fine was reported to be in the amount of €75,000 but the amount of the second fine has not yet been announced. Both were in respect of wrongful disclosure of personal data. In addition, the DPC published that it has completed its inquiry into a data breach sustained by Twitter in November 2018 and has sent a draft report to Whatsapp Ireland in respect of its sharing of information of Facebook and compliance with articles 12 to 14 in that respect.
These are only a flavour of the fines European Regulators have imposed for breaches of the GDPR but they show fines being imposed for a broad spectrum of breaches. It was well publicised that the fines proposed by the ICO arose from external cyber criminality flagging to companies that it is essential to have appropriately robust cybersecurity systems in place to minimise the risk of being fined. In addition, the fines imposed by the Austrian German and Irish regulators show the importance of having strong and effective policies and procedures in place and following those policies in order to protect personal data.
The future of the GDPR
It must be borne in mind that the GDPR is still only a toddler and for a law of this depth and breadth, it will take another few years to bed in fully. What is clear is that there is still a lot of “growing” to be done by the GDPR – in terms of its maturity within companies and within their processes and in terms of its use and enforcement by European regulators. The rest of 2020 will see the decision by the European Court of Justice into Shrems II case (on the transfers of personal data from the EU to US) and (presumably) the ramping up of enforcement action by the Irish Data Protection Commission now that it has issued its first GDPR fines. It is essential that companies do not let their initial fervour to ensure that they are GDPR compliant lapse. It is as important now as it was on 25th May 2018 that companies abide by their data protection obligations both to protect data subjects’ rights and to protect their businesses.
Ward Solutions can help to maintain your Data Protection compliance. We provide, on an ‘as a service’ basis, certified, knowledgeable and experienced Data Protection Officers to help you fulfil the role of DPO in your organisation. Many organisations of varying size across all sectors are moving to this cost effective model to fulfil their Data Protection compliance requirements
Ward Solutions can also assist in improving your overall Information Security posture in a cost effective manner through our “CISO as a service”. We supply a dedicated senior Information Security consultant to work with your organisation to deliver all the responsibilities of a CISO. This service can be delivered for a specific set of tasks, a specific timeframe or on an ongoing retained (but not necessarily full-time) basis.
As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:
Contact your normal account manager for sales or email@example.com
Contact our orders department at firstname.lastname@example.org
Contact our service delivery office at email@example.com
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie
Ward Support Team