As 2018 ended, enforcement under GDPR was just beginning to ramp up. And as we’ve started 2019, there’s been a substantial fine by the CNIL in France, and court cases in the UK and Ireland. The first enforcement actions—which included fines for companies in and outside of Europe—provided a glimpse into the types of oversight and penalties we’re likely to see from data protection authorities in the coming months and years.
Historically regulators have typically issued fines only reactively, such as in the event of a security breach or incident that was caused by negligence (such as losing unencrypted laptops), malicious intent, or unethical practices (such as data misuse). But initial GDPR actions demonstrate that regulators are proactively monitoring organizations’ security and privacy posture, even in the absence of a security breach or incident.
The First Wave of Enforcements
Late last year, authorities in Portugal issued a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data. One of the most interesting aspects of this particular case is that no breach of data occurred. It indicates that corporations of all sizes, across the EU and in other jurisdictions, should expect a rise in regulator activity from a variety of catalysts, not just breaches.
In another GDPR enforcement, the UK Information Commissioner’s Office (ICO) demanded that a Canadian-based organization “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes,” or else face significant financial penalties. That enforcement validated the expectation of many experts that data protection authorities will indeed pursue any company in violation of GDPR regardless of whether or not they are based in Europe. We expect to see more use by regulators of the corrective powers provided in the GDPR’s Article 58 to order that processing of EU personal data cease or that international data flows of EU personal data are suspended in future regulatory actions, and the impact of such an order on an organization’s operations cannot be overstated.
We’ve also seen that small and mid-sized companies will not fly under the GDPR radar and must be equally prepared to face fines and other penalties proportionate to their businesses. An app developer in Germany experienced this first-hand when it was penalized by data protection authorities for failing to follow basic security practices for user passwords. We expect to see more instances of enforcement in such areas, most likely provoked by the complaint of an angry customer or security breaches or incidents.
And global corporations beware! No matter the size or might of global corporations and how endemic their products or services, European regulators are not afraid to take on the most powerful organizations to demonstrate their commitment to the principles of data privacy and the rights of EU citizens, with the CNIL issuing the largest GDPR fine to date of €50m in January 2019.
Fines are likely to increase in frequency and severity for poor data management, violation of the GDPR’s principles of integrity and data minimization and other data processing missteps that could result in a breach. Because data protection authorities now have much more power to investigate and correct issues than ever before, we’re also likely to see an increase in whistleblowing activity. In many cases, this type of activity will be aimed at using the regulator’s investigation to influence other legal matters, such as employment litigation, union negotiations, etc. Any organization that is involved in an ongoing dispute may find that opposing parties now have more incentive to notify authorities of potential non-compliance or GDPR infringement, to damage the organization’s reputation or otherwise weaken its position.
Organizations should also expect regulator cooperation, with many agencies across jurisdictions working in tandem with data protection authorities to investigate and bring enforcement on multiple fronts. This may be particularly impactful in industries like healthcare, pharmaceuticals, and financial services, where regulators are already extremely active.
Beware of Corrective Powers
The teeth in GDPR can bite much harder than fines alone. Reputational damage resulting from publicized non-compliance is a major concern for many organizations, as is the authority regulators have to take corrective action against certain operations. The impact of brand damage or the inability to maintain the necessary international transfers of data out of the EU can last far longer than the hit of a single monetary penalty.
Article 58(2) of the GDPR outlines a number of corrective powers, including public reprimand and demand for compliance within a specified time period – which leads to a loss of control over timescales for projects and a resulting increase in remediation costs. Data protection authorities also have the ability to impose limitations on data processing and transfer activities, which many organizations, such as financial institutions and advertising firms, rely on as part of their daily course of business. This would effectively result in a freeze of business operations, requiring swift action to have the limitations lifted. Reinstating operations after such a freeze could be complicated. Inability to closely follow regulator instructions within set timeframes can land a company in serious financial, legal and operational trouble.
Bolstering GDPR Resilience in 2019 and Beyond
Regulators will no longer have sympathy for failure to put the right processes in place. Likewise, they are more likely to show favor to organizations that have in good faith taken steps to get their data house in order. Implementing sound information governance practices such as data mapping, implementing privacy by design into operations, documenting risk assessment, robust incident management and universally enforced retention policies will be invaluable in demonstrating that good faith.
Further, access management and other security controls that are now considered basic requirements must be taken seriously and properly implemented. Role-based access control is a straightforward and effective way to ensure that access to personal data is adequately limited, and that access by outside third parties and contractors is appropriately managed and monitored. Organizations should be storing hashes of passwords for authentication, not the plaintext of the password—and any logs of the hashing activity shouldn’t retain the plaintext passwords in an internal log, such as the one that recently revealed 330 million Twitter users’ plaintext passwords. Likewise, encryption and data masking are expected practices for high-risk personal data.
Organizations must begin taking proactive, strategic and holistic steps to get their data management and security in order. It is now clearer than ever before that the authorities may come calling, with or without a security breach or incident. Bringing in new staff with depth of understanding about these issues or working with third-party experts can make a big difference in ensuring programs get off the ground quickly and are executed before a regulatory problem arises.