In my last blog, I started to translate the GDPR acronym; what the letters means in terms of compliance. Why? Because the GDPR compliance challenge is huge.
Many of us could potentially be personally liable if there is a data breach. Most could have been avoided with the correct interpretation and application of the regulation. Heavy stuff, but we need to understand exactly the expectations of the law.
We’ve covered the ABC of GDPR – Adequate level of protection, Brexit and data compliance and Comparing the Brexit scenarios. In this blog, I move on to the DEF of the GDPR – Data Protection Authorities, EU Standard Contractual Clauses and Fines. I fear I’ve created another acronym!
The DPAs, including the European Data Protection Board (EDPB), have been around for some time. They were set-up before the GDPR and prior to the Directive, to provide guidance and to enforce the law.
However, they have risen in importance since the introduction of the GDPR. To such an extent that Chapter 6 is dedicated to their tasks, competencies, powers and responsibilities.
Alongside us, as individuals, the DPAs could be considered the real winners of the GDPR. Art. 52.2 outlines that for each Member State: “Each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers”. This means in plain English, people and the money to pay for them.
However, it seems that not everyone has acted on this. Where some DPAs, for example in France and Germany, have put in place additional staff and budget, others, such as Estonia and Czech Republic, can show no evidence of any “plans” to increase staff numbers.
Mostly because the GDPR brings multiple new powers (art. 58) to DPAs. You can read the supporting documents, but it’s worth noting that Tolstói’s, “War and Peace” has fewer words and is possibly easier to understand! There are important sections that are essential reading for the right people to be aware of.
In addition to their new powers, DPAs must work closely with the other DPAs under the “One-Stop-Shop” mechanism. This ensures consistency and sharing the knowledge they need to manage the growing awareness people have of their data rights. Also so they can cope when any complaints are raised.
Part of the DPAs remit also requires them to conduct investigations, approve binding corporate rules (BCR) and my favorite, to “fulfill any other tasks related to the protection of personal data.”
It will be interesting to read the annual reports of each DPA. Reporting is mandatory so it can be seen how each DPA has addressed GDPR compliance and support.
In most instances, contact with DPAs is likely to be limited to data subjects complaining about their rights not being respected or an organization, looking for assurance that they are acting within the regulation. There will of course be some headline grabbing offences too.
The speed of response and resolution will be determined by the number of trained staff they have in place. There also needs to be an adequate budget allocation made. As mentioned earlier, it seems that not all have made this provision.
Transparency is a key part of the GDPR. So we’re entitled to read what each DPA is expected to do and compare this to what they actually do. And trust me, people will!
Earlier this year, the French watchdog, CNIL, fined Google, €50 million “for lack of transparency, inadequate information and lack of valid consent regarding the personalization of ads”.
It is worth remembering here that the GDPR allows Data Protection Authorities to fine organizations between €10 million / 2% global turnover and €20 million / 4% global turnover, whichever is greater. It is clear which end of the scale CNIL chose. We’ll come back to this a little further on.
The EDPB replaced the Article 29 Working Party (A29WP). As per art. 68, the EDPB has been established “as a body of the Union and shall have legal personality”. The Board shall be “represented by its Chair” and the Board shall be “composed of the head of one supervisory authority of each Member State”.
There seems to be little difference to the A29WP. That said, beyond providing guidelines, monitoring the application of the GDPR and advising the EU Commission on data protection issues, art. 70.1.t. allows the EDPB is “to issue binding decisions”. This ensures consistency across the EU, if requested by a DPA or the EU Commission. Or in case of a dispute between two or more DPAs.
This new power puts the EDPB in a ‘Supreme Court’ like position for the purpose of streamlining the application of the GDPR. To date, this has not happened and it will be interesting to see what disputes do arise and if they do, how long it will take the EDPB to provide a “legally binding decision”.
Let’s take a quick look back to last year. The EDPB provided opinions on the various DPA’s data protection impact assessment (DPIA) requirements lists. If you have doubts on when to conduct a DPIA (per art. 35), you can consult these documents for more clarity.
The intention of the A29WP is not all lost. The guidelines and opinions issued are here. The new guidelines under the Directive cover the same topics, but factor in the changes brought in by the GDPR.
As an employer, it’s useful for you to consult the guidelines. They outline consent, the right to data portability, data protection officers and personal data breach notification. This if very likely to be reviewed in the future to update the opinion of the A29WP on data processing at work.
The EU Standard Contractual Clauses(SCC), EU Model Clauses and DTA, whatever you call them, they’re most likely referring to the contractual templates issued by the EU Commission to facilitate international data transfers from the EU/EEA to a non-EU/EEA country that’s deemed inadequate.
The first template was issued in 2001 to facilitate data transfers between an EU/EEA controller to a non-EU/EEA controller. This was most recently updated in 2010, nine years ago! These are “model” clauses and so cannot be altered.
That said, the clauses do accept that a model contract might not always address every possible business provision. If this is the case, it does say that this “does not preclude parties from adding clauses on business related issues where required as long as they do not contradict the Clause.”
All clear?! What this means in simple terms is that if an individual’s personal data continues to be protected in the same manner after parties have made business adjustments, then the addition is acceptable.
It’s important to point out here that since the introduction of the GDPR, the EU Commission is yet to issue a new template. There has also been no statement to say that the model clauses no longer apply.
The best we can deduce from this “administrative silence” is that the existing templates should continue to be used for data transfers from the EU to a non-EU country until further notice.
As mentioned earlier, €50,000,000 was the amount considered to be ‘adequate’ for Google for breaching the basic principles of transparency, inadequate information and invalid consent. Note here that this was not a fine for a data breach’, highlighting that this is not all the authorities are looking out for. Hence my statement about there being eyes everywhere.
For any business, even Google, this is a huge fine to absorb. It’s hard to imagine this amount of money. But you could buy 600 new Porsche Cayenne S Hybrids, 3,000 new Ford Focuses or 20,000,000 takeaway coffees. Just think how many employees you could make happy with these spot bonuses? Instead, any GDPR compliance fine is more likely to put your workforce at risk.
The Google fine is not the norm. It’s likely that the amount set for such a high profile organization was to set a precedent. It was to regain the focus of business leaders who might have taken their eye off the ball. It only natural for the human psyche to map a date as finite, when really it marks the start, especially for GDPR.
Let’s take a look at what some of the other DPAs have been up to over the last 10 months:
The Austrians were the first to issue a fine under the GDPR. €4,800 for the unlawful use of a CCTV system. The interesting part of this fine is not the amount, but the procedure behind it. Unlike its EU colleagues, who have so far issued a warning to an infringing company, it has directly fined the organization. No messing about!
The Belgium DPA has been re-designed to meet the new requirements and powers of the GDPR. So far, it has not investigated or issued fines under the GDPR.
CNPD, the Portuguese DPA, fined a hospital €400,000. This was due to the access of PII data without authorization from appropriate admin staff or doctors. The fine was imposed for a violation of ‘data integrity and confidentiality’ and for a ‘violation of data minimization’.
The Spanish Government recently announced a new data protection law. So far, AEPD, the data protection authority, has not issues any administrative/enforcing actions.
The Swedish have taken a different approach. It is focused on ensuring that where public authorities or an organization is required to appoint a data protection officer, they actually have done.
So far, no fines have been imposed, but reprimands and warnings to those that didn’t comply have been issued. You could say it is taking a prevention is better than a cure approach.
Early to the party, since 2016 the Dutch have had to comply with the data breach notification process. Incident reporting is increasing, to the degree that in 2018 there were 20,881 breach notifications.
AG, the Dutch DPA,has not, however, logged any breaches. Actions taken include investigations and advice, but no monetary penalties to date.
It’s possible that individuals have been informed, but they decided not to escalate to the DPA. Will this be the get out of jail card for too many businesses? We’ll wait and see.
The UK has one of the most active EU DPAs, the ICO, but with Brexit lingering on, who knows what changes might happen, and when! But, I digress, distracted, as always, by this political hot potato!
The Cambridge Analytica scandal is perhaps the highest profile example of data misuse yet. Cambridge Analytica was the company behind the misuse of personal data by Facebook, and for social media engineering. Facebook was fined £500,000, a fairly lenient fine considering Google’s but this was imposed under the previous regulations, due to the timing of the case.
Currently, the ICO is investigating a range of data breaches. Among these are cases against British Airways and Dixon’s Carphone Warehouse.
While DPAs are fully briefed on the new regime, they’re still miles away from operating comfortably with their newly given powers. The fine issued by CNIL clearly made the headlines. However, it needs to be compared to other fines and actions taken by EU counterparts for true context.
For certain we will see fines of equal, if not higher amounts than those already issued, but I suspect this will not be the norm.
Organizations, the data controllers and processors there of, are well advised to ensure their GDPR implementation programs have dotted the i’s and crossed the t’s. Compliance doesn’t stand still.
Because, as the press release explains, NGA Human Resources is the first and only organization to obtain an Assurance Report on GDPR related controls from KPMG.
With my colleagues at NGA HR, I’ve written a number of guides and webinars to show our clients a safe GDPR path. I’ve listed these here for your easy review.