An Update on GDPR Enforcement

September 20th, 2018

Corporate compliance professionals had two years to prepare their organizations for the arrival of the European Union’s General Data Protection Regulation earlier this year. Now enforcement of the GDPR is upon us — and early indicators are that GDPR compliance is a matter EU privacy regulators will take seriously. Compliance officers should do the same.

First are two recent enforcement actions that suggest privacy regulators have an appetite to pursue exactly the poor data governance practices the GDPR was meant to address. In Britain, privacy regulators announced intentions to fine Facebook £500,000 for sharing user data with Cambridge Analytica, the now-defunct firm embroiled in questions about Russia meddling in U.S. and European elections. In the Netherlands, regulators fined a Dutch bank €48,000 for its failure to respond in a timely fashion to a customer’s request to see data.

Granted, the misconduct in both instances happened before the GDPR went into effect. Facebook’s work with Cambridge Analytica happened in 2014; the Dutch bank dragged its feet in 2016. But that £500,000 fine is the maximum allowed under British law for data governance failures at that time, and the “right of access” at issue with the Dutch bank is a core principle of the GDPR.

The lesson for compliance officers is that regulators already had a willingness to enforce data mismanagement practices the GDPR is intended to prevent — and the GDPR now gives regulators and EU citizens a much more powerful platform to press their cases.

Along those lines, we also have early statistics on the number of consumer complaints since the GDPR went into effect in May. According to the British law firm Cordery Compliance, the United Kingdom had more than 1,100 complaints in the first month of the GDPR era; the Netherlands had 600 within the first two weeks. Other countries seem to be reporting similar numbers, of several hundred to more than 1,000 complaints. (The United Kingdom leads the pack so far.)

Tellingly, many complaints are coming specifically to the data regulator of Ireland — home to the European operations for many U.S. tech companies, such as Facebook and Microsoft. That suggests that privacy activists know where to strike (Ireland) if they want to push for sanctions against large tech companies with vast troves of data on EU citizens.

Rome Rooftop view

Three Early Implications

First, GDPR enforcement risk is real, especially consumer-facing businesses with a high amount of reputation risk entwined in their data collection and usage practices.

Even if privacy regulators ease into enforcement (and so far, many are), privacy activists can still file complaints with regulators themselves. Those complaints lead to investigations, and investigations cost a company money. And the complaints in Ireland suggest that activists want to pursue big players in data collection, which risks big fines for those unprepared.

Second, procedures matter. The Dutch bank mentioned above either didn’t have, or didn’t follow, a procedure to let its customer see his personal data. More cases like this will arise, where EU citizens exercise their “data subject rights” — their right to view data, the right to correct erroneous data, the right to be forgotten. Companies must uphold those rights to comply with the GDPR.

One crucial question is how to craft procedures that fulfill those rights as efficiently as possible. Manual procedures are slow and expensive. Automated procedures, meanwhile, risk bad outcomes if an organization gives the wrong answer: say, an incomplete inventory of personal data, or disclosure of data that should be kept confidential.

So even if data collection policies are well-written, compliance, IT, and other corporate departments still have lots of legwork to develop procedures that: (a) work; (b) don’t disrupt other business processes to an unnecessary degree; and (c) are appropriate given the volume of data requests an organization receives and the other data retention requirements it has.

Third, given the need for effective procedures, consider whether your technology to achieve GDPR compliance is up to the task. Compliance will require a huge amount of risk assessment (particularly of third parties), “compliance gap analysis,” and remediation work to close those gaps. Third-party automation tools can be utilized to help compliance departments automate processes and manage data efficiently.

Can all that work succeed? Perhaps compliance officers can take heart from one other recent item.

In early September, British Airways disclosed that hackers had stolen personal and financial data from 380,000 customers in a breach that happened from Aug. 21 to Sept. 5. It’s too early to know how privacy regulators might respond to that breach, but BA did alert all affected customers and the public by Sept. 7 — within the 72-hour breach notification window required by the GDPR.

That’s one successful step in GDPR compliance, even if many more still remain.