In my last blog, I started to translate the GDPR acronym; what the letters means in terms of compliance. Why? Because the GDPR compliance challenge is huge.
Many of us could potentially be personally liable if there is a data breach. Most could have been avoided with the correct interpretation and application of the regulation. Heavy stuff, but we need to understand exactly the expectations of the law.
We’ve covered the ABC of GDPR – Adequate level of protection, Brexit and data compliance and Comparing the Brexit scenarios. In this blog, I move on to the DEF of GDPR – Data Protection Authorities, EU Standard Contractual Clauses and Fines. I fear I’ve created another acronym!
The DPAs and I will include here the European Data Protection Boaed (EDPB), have been around for some time. They were set-up before the GDPR prior to the Directive, to provide guidance and to enforcing the law. However, they have risen in importance with the GDPR. To such a degree that Chapter 6 is dedicated to their tasks, competencies, powers and responsibilities.
Alongside us as individuals, the DPAs could be considered the real winners of the GDPR. Art. 52.2 outlines that for each Member State; “Each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers”. This means in simple English, people and the money to pay for them.
However, it seems that not all have acted on this. Where some DPAs, for example in France and Germany, have put in place additional staff and budget, others, such as Estonia and Czech Republic, can show no evidence of any “plans” to increase staff numbers.
Mostly because the GDPR brings multiple new powers (art. 58) to DPAs. You can read the supporting documents, buts it’s worth here considering that Tolstói’s, “War and Peace” is has less words and is possibly easier to understand! There are some who must take this on. There are important advancements that are essential for the right people to absorb.
In addition to their new powers, the DPAs must also work closely with the other DPAs under the “One-Stop-Shop” mechanism. This is to ensure consistency and the shared knowledge they need to manage the growing awareness we all have of our data rights (and so they can cope when we raise any complaints!).
Also as part of their remit, the DPAs are also required to conduct investigations, approve binding corporate rules (BCR) and my favorite, to “fulfill any other tasks related to the protection of personal data.”
It will be interesting to read the annual reports of each DPA. Reporting is mandatory so it can be seen how each DPA has addressed GDPR compliance and support.
In most instances, contact with DPAs is likely to be limited to data subjects complaining about their rights not being respected, an organization, looking for assurance that they are acting within the bounds of regulation, but there will inevitably be some headline grabbing offences as well.
The speed of response and resolution will be determined by the number of trained staff they have in place to manage the processes and this needs an adequate budget allocation made. As mentioned earlier, it seems that not all have made this provision.
Transparency of part of the outline of the GDPR and so we’re entitled to both read what each DPA is expected to do and if we wish to, compare this to what they actually do. And trust me, people will!
Earlier this year, the French watchdog, CNIL, fined the über-mighty Google, €50 million “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization”.
It is worth remembering here that the GDPR allows Data Protection Authorities to fine organizations between €10 million / 2% global turnover and €20 million / 4% global turnover, whichever is greater. It is clear which end of the scale CNIL chose. We’ll come back to this a little further on.
The EDPB has replaced the Article 29 Working Party (A29WP). As per art. 68, the EDPB has been established “as a body of the Union and shall have legal personality”. The Board shall be “represented by its Chair” and the Board shall be “composed of the head of one supervisory authority of each Member State”.
So far, there seems to be little difference to the A29WP. This said, beyond the standard, for example, providing guidelines, monitoring the correct application of the GDPR, advising the EU Commission on data protection issues, and so on, art. 70.1.t. establishes that the EDPB is “to issue binding decisions” to ensure a consistency mechanism across the EU, if requested by a DPA or the EU Commission. Or in case of a dispute between two or more DPAs.
This new power puts the EDPB in a ‘Supreme Court’ like position for the purpose of streamlining the application of the GDPR. To date, this has not happened and it will be interesting to see what disputes do arise and if they do, how long it will take the EDPB to provide a “legally binding decision”.
Let’s take a quick look back to last year. The EDPB provided opinions on the various DPA’s data protection impact assessment (DPIA) requirements lists. If you have doubts on when to conduct a DPIA (per art. 35), you can consult these documents for more clarity.
The intention of the A29WP is not all lost. The guidelines and opinions issued are here. The new guidelines to be issued under the Directive will cover the same topics, but factoring in the changes brought in by the GDPR.
As an employer, it will be very useful for you to consult the guidelines. They outline consent, the right to data portability, data protection officers and personal data breach notification. This if very likely to be reviewed in the future to update the opinion of the A29WP on data processing at work.
The EU Standard Contractual Clauses, SCC.EU Model Clauses and DTA, whatever you call them, they’re most likely referring to the contractual templates issued by the EU Commission to facilitate international data transfers from the EU/EEA to a non-EU/EEA country that’s not deemed adequate.
The first template was issued in 2001 to facilitate data transfers between an EU/EEA controller to a non-EU/EEA controller. This was most recently updated in 2010, nine years ago! These are “model” clauses and so cannot be altered.
This said, the clauses do accept that a model contract might not always address every possible business provision. If this is the case, it does say that this “does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.”
All clear?! What that means in simpler terms is that if an individual’s personal data continues to be protected in the same manner after parties have made business adjustments, then the addition is acceptable.
It’s important to point out here that since the introduction of the GDPR, the EU Commission is yet to issue a new template. There has also been no statement to say that the model clauses no longer apply. The best we can deduce from this “administrative silence” is that the existing templates should continue to be used for data transfers from the EU to a non-EU country until further notice.
F stands for Fines
As mentioned earlier, €50.000.000,00 was the amount considered to be ‘adequate’ for Google for breaching the basic principles of transparency, inadequate information and invalid consent. Note here that this was not a fine for a data breach’, highlighting that this is not all the authorities are looking out for. Hence my statement that there are eyes everywhere.
For any business, even Google, this is a huge amount of money to absorb. It’s hard to imagine this amount of money. In ‘street value’, you could buy 600 new Porsche Cayenne S Hybrids, 3,000 latest model Ford Focus’ or 20,000,000 takeaway coffees, for example. Just think how many employees you could make happy with these spot bonuses? Instead, any GDPR compliance fine is more likely to put your workforce at risk.
The Google fine is not the norm. It’s likely that the amount set for such a high profile organization was to set a precedent; to regain the focus of business leaders who might have taken their eye off the GDPR ball. It only natural for the human psyche to map a date as finite, when really it marks the start, especially for GDPR.
Let’s take a look at what some of the other DPAs have been up to over the last 10 months:
The Spanish Government recently announced a new data protection law. So far, AEPD, the data protection authority, has not issues any administrative/enforcing actions.
CNPD, the Portuguese DPA, fined a hospital €400,000. This was due to the access of PII data without authorization from appropriate admin staff or doctors. The fine was imposed for a violation of ‘data integrity and confidentiality’, and for a ‘violation of data minimization’.
Early to the game, since 2016 the Dutch have had to comply with the data breach notification process. Incident reporting is increasing, to the degree that in 2018 there were 20.881 breach notifications.
AG, the Dutch DPA,has not, however, logged any breaches. Actions taken include investigations and advice, but no monetary penalties to date. It’s possible that individuals have been informed, but they decided not to escalate to the DPA. Will this be the get out of jail card for too many businesses? We’ll wait and see.
The UK has one of the most active EU DPAs, the ICO, but with Brexit lingering on, who knows what changes might happen, and when! But, I digress, distracted, as always, by this political hot potato!
The Cambridge Analytica scandal is perhaps the highest profile example of data misuse yet. CA was the company behind the misuse of personal data by Facebook, and for social media engineering. Facebook was fined £500.000, a fairly soft fine considering Google’s but this was imposed under the previous regulations, due to the timings of the case.
Currently, the ICO is investigating a range of data breaches. Among these are cases against British Airways and Dixon’s Carphone.
The Swedish have taken a different investigation approach. It is focused on ensuring that where a public authorities or organization is required to appoint a data protection officer, they actually have done.
So far, no fines have been imposed, but reprimands and warnings to those that didn’t comply have been issued. You could say it is taking a prevention is better than a cure approach.
The Belgium DPA has been re-designed to meet the new requirements and powers of the GDPR. So far, it has not investigated or issued fines under the GDPR.
The Austrians were the first to issue a fine under the GDPR. €4.800 for the unlawful use of a CCTV system. The interesting part of this fine is not the amount, but the procedure behind it. Unlike its EU colleagues, who have so far issued a warning to an infringing company, it has directly fined the organization. No messing about!
While DPAs are fully briefed on the new regime, they’re still miles away from operating comfortably with their newly given powers. The fine issued by CNIL clearly made the headlines. However, it needs to be compared to other fines and actions taken by EU counterparts for true context.
For certain we will see fines of equal, if not higher amounts than those already issued, but I suspect this will not be the norm. Organizations, and the data controllers and processors there of, are well advised to ensure their GDPR implementation programs have dotted their i’s and crossed their t’s, and continue to do so. Compliance doesn’t stand still.
Because, as the press release explains, NGA Human Resources is the first and only organization to obtain an Assurance Report on GDPR Related Controls from KPMG.
With my colleagues at NGA HR, I’ve written a number of guides, advisories and webinars to guide our clients on a safe GDPR journey. I’ve listed these here for your easy review.