On May 25th, 2018, the General Data Protection Regulation (GDPR) entered into effect, changing the global legal landscape in the process. However, as data protection is not a static area, it is necessary not only to initially set compliance measures, but also to continuously make efforts to maintain data security, compliance and governance. As the Coronavirus crisis demonstrated, today’s society relies heavily on technological tools and connectivity, processing an increasing amount of personal data. At a time when the line between private and professional life has never been so thin, when technology is invading public and private spaces, the GDPR is essential to safeguard the privacy of individuals. Thus, the following five lessons learned from the implementation of the Regulation over the past two years can be highlighted.
1. The importance of the Data Protection Officer’s independence
The position of Data Protection Officer (DPO), has been highlighted by the Regulation, nevertheless this role is not new and brings together competences in the fields of quality, security and legal. Because of this multidisciplinary aspect, the function of DPO is already very specific. On top of that, the Regulation imposes specific independence requirements on the person exercising this profession within an entity.[1] This obligation implies that the DPO does not have decision-making powers, but merely the power to give advice and opinions. The Austrian supervisory authority thus fined a hospital €50,000 for failing to appoint a DPO, whereas the entity, in view of the sensitivity of data processed, was required by law to. In order to avoid such a sanction, and because of the specific needs in terms of both competence and independence, it may be appropriate for entities to call on a professional external DPO service, rather than appointing an internal one, already carrying out another activity.
2. The lagging reaction from websites
Despite the efforts made by organizations and companies, there is some possible improvement before reaching a satisfactory level of compliance for websites. At cause, out-of-date data protection or “privacy” policies, sometimes not easily accessible,[2] or even non-existent, non-compliant cookie management[3] and inadequate security measures for users’ personal data. It can happen that websites make public information that should not be accessible and would require enhanced security measures: the Italian supervisory authority fined a community €10,000 on the latter basis. It was possible to access information on its website concerning court decisions, including medical data of its inhabitants.
3. Data protection by Design and by Default, too often forgotten
Data Protection by Design and by Default consists of taking data protection into consideration and implementing technical and organizational measures from the very first stages and throughout the entire process of any processing activity. This principle is the more important as it is simpler to implement these measures directly, when a service or idea is first conceived. It also reduces the chances of technical errors that could have an impact on data protection, such as the one encountered by a Greek telecom service provider who was fined €200,000.[4] Similarly, a German real estate company was fined €1,400,000, for the technical impossibility of deleting data stored in its database, even when no longer necessary for the fulfilment of its purpose. These examples show that data protection must be integrated into all stages of a project, before going into production. This is more serious in the current context of the health crisis, where the number of solutions developed urgently, and processing sensitive data is significant.
4. Security, the watchword
As recently published in the news,[5] personal data are at the heart of cyber-attacks. Beyond the commercial and reputational concern of protecting an entity’s data, there is a regulatory obligation for each data controller to protect personal data by appropriate technical and organizational measures.[6] This obligation requires the prior categorization of personal data within the organization in order to determine the most suitable measures according to the categories of data. In addition, it is necessary to regularly test and improve infrastructure, both physical and IT, since the data controller will have to answer for any breach of the confidentiality, integrity and availability of the personal data it processes. Due to a failure of implementing appropriate technical and organizational security on its website, the UK supervisory authority notified an airline of its intention to levy a fine amounting more than €204,000,000. As technology is evolving to a fast pace, the establishment of appropriate measures is not enough, security must be continuously tested, verified, and improved as far as possible in order to avoid any data breach.
5. The value of training and awareness sessions
Finally, not all data breaches result from an external cause to the organization, in fact most of them have an internal non-malicious origin. One of the missions of the DPO is to train and raise awareness of all the actors of his entity on the protection of personal data and try and prevent these even from happening. One of the points of attention is the procedure in case of violation of personal data or alert procedure, without forgetting data protection principles[7] such as data minimization, storage limitation or purpose limitation. Moreover, it is important to remember that it is preferable to refer to the person in charge of data protection in case of any doubt and that it is mandatory to consult him/her before each new processing operation.
Conclusion
All afore-mentioned elements were already known as of May 2018, and the sanctions and data breaches over the past two years have simply confirmed and highlighted their importance. Even in times of health crisis, regulatory authorities remain active and companies, are not immune to security incidents… it is not too late to take relevant action for your GDPR compliance!
Upcoming this year
1- Continuation of the arm wrestling launched by Max Schrems against Facebook: on July 16th, 2020, the ECJ will give its ruling on the validity (or not) of the standard contractual clauses.
2- Record penalty of €204 million: will the ICO confirm its intention to sanction British Airways when the aviation sector has seriously suffered from the coronavirus?
3- After the provision of feedbacks from all member states to the European Commission, the latter shall submit a report on the evaluation and review of the Regulation (Article 97 GDPR). This report should have been submitted at the latest, the May 25th, 202t0, but due to the sanitary crisis, this report might be postponed for a few weeks or even month
[1] Article 38(6) GDPR provides that “The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” Moreover, the Working Party 29 adopted specific guidelines on the DPO precising the independence requirements, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
[2] The Privacy notice should be accessible after a maximum of two clicks following the decision of the French data protection authority (CNIL) to fine Google Inc. €50.000.000
[3] The collection of non-necessary cookies can only occur after the explicit and unambiguous consent (opt-in) from the terminal user, not by default.
[4] Due to the non-consideration of data protection by design and by default, opt-out requests from users could not be taken into account by the system.
[5] EasyJet was targeted by a cyber-attack resulting in a data breach affecting more than 9 million data subjects, including more than 2.000 credit card data. https://www.theguardian.com/business/2020/may/19/easyjet-cyber-attack-customers-details-credit-card
[6] Article 32 GDPR