GDPR: What We’ve Seen in Two Years of Implementation
Two years have passed since the General Data Protection Regulation (GDPR) took effect in May 2018, and the European Union (EU) continues to work through issues with implementation.
While the basic rules have remained the same over the past two years (see our 2018 article, “The 10 Minute Guide to Being GDPR Compliant”), national regulators, the European Data Protection Board (EDPB), and the EU Court of Justice have refined the way GDPR is being implemented.
At first, GDPR implementation started out slowly. Only a handful of fines were handed out totaling less than €500,000 in the first year. Many observers were wondering if any significant fines would be levied against companies.
Then, in January 2019, the French data protection regulator assessed a €50 million fine on Google for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” Sweden piled on in March of this year, with a €7 million fine on Google for failing to comply with right-to-be-forgotten requests.
British Airways, Marriot Face €315M in Proposed Fines
In July 2019, the U.K. Information Commissioner’s Office (ICO) laid down the law, saying it intended to fine British Airways £183.4 million (€204.3 million) and Marriott International £99.2 million (€110.5 million) for large data breaches. Although these fines have yet to be finalized, they leave no doubt that failing to comply with GDPR could cost companies inside and outside of Europe lots of money.
Under GDPR, violators can face fines of up to 4% of a company’s annual revenue or €20 million, whichever is greater. Companies with large annual revenues are vulnerable to massive fines, while smaller companies could find it difficult if not impossible to pay the €20 million levy.
So far, EU data protection agencies have levied more than 260 fines for GDPR violations, totaling close to €154 million (not including the British Airways and Marriott assessments).
The Italian data protection agency assessed Italian mobile operator TIM for €27.8 million for GDPR lapses, the Austrian agency hit Austrian Post with an €18 million fine, and German local and national data protection agencies levied fines against Deutsche Wohnen SE of €14.5 million and 1&1 Telecom of €9.6 million for GDPR violations.
Spain is the most aggressive EU regulator, with 43 GDPR enforcement decisions, followed by Romania with 27 and Germany with 25.
In November 2019, the EDPB issued final guidance on the territorial scope of GDPR, including Article 30, which requires data controllers and processers and their EU representatives to maintain a record of processing activities that shows why and how the data is being processed. The extent of the obligations was considered a grey zone in GDPR and not fully adopted.
In its final guidance, the EDPB clarified that “while the maintenance of this record [of processing activities] is an obligation imposed on both the controller or processor and the representative, the controller or processor not established in the Union is responsible for the primary content and update of the record and must simultaneously provide its representative with all accurate and updated information so that the record can also be kept and made available by the representative at all time.”
What is “Adequate” Information Security?
Many of the GDPR fines have been levied for having insufficient technical and organizational measures to ensure information security. This poses the question of what measures are considered “sufficient” or “adequate” by regulators.
This judgment is up to the individual data protection agency, which makes it difficult for companies to determine what security measures to implement to comply with GDPR. For example, the Rousseau platform, which operates the websites of the Movimento 5 Stelle party, was fined €50,000 by the Italian data protection agency for having inadequate information security that led to a data breach.
The agency concluded that Rousseau had failed to implement the following GDPR-related information security practices: adequate vulnerability assessments, strong password policy, use of secure protocols and digital certificates, strong cryptographic algorithms, logging of user and IT support activities, limiting privileges of system administrators, and anonymizing e-voting system activities.
In addition, the U.K.’s ICO cited inadequate security measures as the reasons for both the proposed British Airways and Marriott fines. While the agency did not disclose why those security measures were inadequate in its announcements, it has identified security lapses that have led to data breaches.
These include poor board-level awareness of security risks, inadequate staff security training, non-compliance with security policies, failure to understand supply chain risk, deferring security investments, poor data governments, staff workarounds of security measures, and misconfiguration of systems.
The next few years are likely to see stepped up enforcement of GDPR as more European countries bring their national laws in line with GDPR rules and join in issuing fines. There are more investigations and hefty fines to come because national data protection authorities are still clearing a backlog of GDPR complaints.
While the U.K. exited the EU earlier this year, it has pledged to comply with EU regulations at least for the remainder of this year. And the U.K. government has said it will continue to apply GDPR rules even after the transition period, which ends Dec. 31, 2020. In addition to the EU countries, GDPR also cover Iceland, Liechtenstein, and Norway under the European Economic Area agreement.
More Data Archiving Fines Likely
Forrester Research predicts that there will be an increase in fines for companies failing to comply with data access and data deletion requests from individuals. As an example of this trend, a German property company that archived customer data in a manner that did not enable data deletion was recently fined €14.5 million.
Forrester expects GDPR enforcement to increase on employers who fail to comply with requests from employees to access their employment information. For example, Bulgaria’s data protection agency fined an employer an undisclosed sum for a delayed or incomplete response to an employee’s data access request.
EU Court of Justice Rulings
The EU Court of Justice has issued rulings clarifying aspects of GDPR requirements.
Three major court rulings clarified the definition of “data processer,” an entity that processes personal data for another entity and has expanded on the concept of “joint controller.” The court has broadened the concept of “joint controller” to include entities that do not have access to the personal data concerned.
In a 2019 ruling, the court held that German website Fashion ID was a joint controller with a social media platform for the collection and transmission of personal data because of the integration of a “Like” button into its website.
Entities that process data for other entities need to sign a contract clarifying their responsibilities. If they do not have one in place, they could be fined up to €10 million, or 2 percent of annual worldwide revenue, the lower category of GDPR fines.
In addition, in a 2019 case involving German online gaming company Planet 49, the court ruled that website operators that want to store cookies on a user’s device must get active consent. It ruled against Planet 49, which used a pre-ticked checkbox for opt-out consent for cookie storage.
To avoid running afoul of GDPR, website operators should obtain active and specific consent from users. Thus, pre-checked boxes or notices (soft opt-in) that continuing use of the website constitutes consent will not be sufficient for GDPR compliance.
EU regulators and courts are beginning to give teeth to GDPR. Companies of all sizes and locations need to take a good, hard look at their data security operations in light of GDPR requirements.
Dropsuite Can Help with GDPR Compliance
If you were uncertain regarding the need to make investments to comply with GDPR, then the recent enforcement actions and court decisions make it clear that the time to act is now.
Dropsuite’s data backup and archiving solutions are designed to ensure compliance with GDPR and other data security regulations.
The company’s automated backup and archiving along with one-click restore ensures that data is available when needed. The advanced search feature makes finding data fast and efficient to ensure compliance with a consumer’s request for data access or deletion.
Our GDPR Responder Utility enables you to safeguard, store, discover, export, and delete data. The utility enables Data Protection Officers to assign roles, review GDPR requests, as well as review, flag, export, and delete data and explain why data can or cannot be deleted.
The utility provides delegated access permission, which enables you to assign and delegate internal/external access permissions for GDPR discovery and review for auditors. It enables you to comply with “right to be forgotten” requests by providing a way to export a copy of data under GDPR Article 15-1 for the requester or delete data under GDPR Article 17-1 that does not conflict with business regulations.
Our GDPR Responder Utility provides message level retention and legal hold capabilities. You can add retentions from 6 months to indefinitely on individual or bulk messages and add legal holds for indefinite periods on individual or bulk messages.
And our utility is compatible with Microsoft Exchange Online, Hosted Exchange, and G Suite Gmail.
For more information on Dropsuite Email Backup and Archiving, Dropsuite Website Backup, Dropsuite GDPR Responder Utility, or any other backup solutions, contact us at firstname.lastname@example.org.