by Gabriel Avigdor

GDPR COMPLIANCE has been the very hot topic of 2017 and will continue to grow in the next couple of months, as we are reaching 25 May 2018, the famous date where Regulation (EU) 2016/679 will apply to any controller and processor around the world falling into the scope of the Regulation. This topic will increase in importance with general awareness, the importance to “think privacy first” before any processing personal data occurs, and the increasing number privacy pros arising out around the globe advocating about privacy.

In this historic race for data protection compliance, the European Commission published a new website, with extensive guidance on that matter. This site is pretty intelligible, and designed in a simplified and easily accessible manner. It covers important areas of the GDPR indicating, among others:

• rules for businesses and organizations, and
• rights for citizens,

including an infographic section with a summary of key areas that relate to the GDPR such as rights and duties, and consequences for non-compliance.

Now processors of personal data may have to demonstrate to the authorities that, and how, they comply with the Regulation (‘accountability’ principle).

__________________

WHAT TO EXPECT IF YOU DON’T COMPLY WITH THE GDPR?

On its new website, the Commission reminds the 4 steps process before a supervisory authority may impose an administrative fine (art. 83 of the GDPR) on businesses or organizations for non-compliance. These steps are:

(1) WARNING ⇨ (2) REPRIMAND ⇨ (3) SUSPENSION OF DATA PROCESSING ⇨ (4) FINES

and according to the Regulation, sanctions shall “in each individual case be effective, proportionate and dissuasive ” (art. 83 § 1 GDPR). Therefore, the fine regime allows a supervisory authority to impose a fine in addition to other measures, being (among others):

• warnings (art. 58 (2) (a) and recital 150 of the GDPR);
• withdrawal of certifications (art. 58 (2) (h) of the GDPR); or
• suspension of data flows (art. 58 (2) (j) and 83 (5) (e) of the GDPR).

__________________

WHAT DOES ARTICLE 29 WP SAY ABOUT FINES UNDER THE GDPR?

The Article 29 Working Party (‘A29WP’) just updated its 253rd document called “Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679” (wp253). This document contains more details on the fine regime and how controller should behave to avoid fines.

The guidelines explains that warnings may already be given to controllers when processing operations are likely to infringe provisions of the Regulation. This means that warnings may be used as a preventive measure against a potential infringement (foot note, page 5 of wp253). Reprimand can, in some cases, replace a fine (page 9 of the guidelines), etc. In addition to this, the A29WP adds an interesting statement about the balance between imposing corrective measures with or without fines:

“Fines are an important tool that supervisory authorities should use in appropriate circumstances. The supervisory authorities are encouraged to use a considered and balanced approach in their use of corrective measures, in order to achieve both an effective and dissuasive as well as a proportionate reaction to the breach. The point is to not qualify the fines as last resort, nor to shy away from issuing fines, but on the other hand not to use them in such a way which would devalue their effectiveness as a tool“.

The message is pretty clear, the supervisory authority shall ensure effectiveness through finding the right balance between fines, or measures, or both. Still, fines should not be “devalued” meaning, that a too nice fine may encourage controllers and processors to continue doing business without ensuring compliance.

You can access the guidelines on administrative fines here.

__________________

AUTHORITIES WILL NOT FINE EVERYONE AS OF 25 MAY 2018

It has become popular to hear and read from many people and consulting firms coming out of nowhere, shouting on social media and the internet, that the end of the world is going to happen in May 2018, should you be non-compliant. The reality is a bit more complex, and such statement isn’t true. It is true that after 25 May, there will be no more deadline for GDPR readiness, so sanctions may potentially be quite heavy when a controller is being audited, questionned by an authority or if an individual lodges a complaint against the controller. But this may only happen after the authority performs an assessment of the situation, starting with exchanges of communications, then maybe an audit if a data subject submitting a complaint for an infringement of their rights, or if one claims a the controller is breaching the law. You’d better be working on your GPDR readiness if you are subject to the Regulation and haven’t started yet. But it seems necessary to remind some basic considerations that are a bit less scaremongering on the sanction regime and compliance readiness, just to name a few:

• Fines are not going to rain on data controllers as of 26 May 2018. This is a myth designed by hungry newly created consulting firms using fear as a marketing tool to sell their GDPR-related services. mid- to large organisations that are aware do not get trapped, but smaller may.
• An authority will not issue a fine before having found evidence and probably warned the processor of personal data (controllers and to some extent processors) that there is, in their opinion, a breach of the law. It means that the process would require to conduct investigations , including audit of, or by, the controller, its retailers, suppliers or business partners, but also interpreting the GDPR, which is not easy.
• According to UK ICO Steve Eckersley, “some investigations take 8-12 months to complete”. So it wil take some time. Taking the example of the UK, Steve Eckerley also mentions that “the ICO is now recruiting an additional 100-150 people to work on GDPR aspects and cyber security” predicting that the ICO will receive “30,000 breach notifications a year“. This is not a meaningless number.
• Authorities are, and will remain, very busy to create their own team, support controllers in providing them guidance and support, help them interpreting the Regulation, implement exceptions to the GDPR into their own local laws (if they chose to do so), examine how to deal with breach notifications, work on DPIA submissions, etc. So the top priority is not to sanction everyone, but more to get ready for having the right staff to support this massive change in the regulatory landscape. GDPR may be a huge project not only for those who process personal data, but every stakeholders, including authorities pressured by the Commission for their own readiness. Being busy, does not mean that no sanction will occur. My sense is that there will be sanctions, but not immediately as everyone will be in a rush.
• Regulation (UE) 2016/679 does not indicate fines as the first, nor the last measure if failing to comply with the law. In theory, a supervisory authority would warn the controller before a infringement of the law, where it is likely to occur. When a GDPR audit will occur in less clear cases, there will be room for dialogue and exchanges between authorities, legal counsels, appointed DPOs, outside counsels, data processors and other players of this privacy eco-system. It will also be interesting to see if the level of complaints issued by individuals will increase in the future, or if GDPR compliance will build more trust. Some people tend to forget that the GDPR is a formidable opportunity for organizations to advertise their good behavior and willingness to listen to the clients’ needs and respect their rights.
• Compliance shall be maintained and monitored over time. GDPR compliance is not a one-shot project. It becomes a new behavior for companies vis-à-vis their clients and their business partners and it has to be included in the organisation’s processes. This will continue for as long as the Regulation remains in force, which means that a fine may occur much later. Your organization may be GDPR ready for 25 May 2018, but might not be any more if compliance is not maintained over time.
• (edit) More than 70 provisions of the GDPR offer room for EU Member States to deviate from the Regulation. This means knowing the GDPR as a general law is not sufficient, and there will be different approaches depending on the countries. Germany being the first country to adopt its own adaptation of the GDPR in its local data protection law. You can access links on another article of this blog to track Member States’ readiness and deviations from the GDPR. As all the provisions of the Regulation are not self-explanatory and contain many provisons subject to interpretation, compliance with the GDPR remains a case-by-case assessment and will be subject to interpretation. As mentioned in this article, it could take around 10 years “before the GDPR might be considered a mature piece of legislation that is well understood“.

__________________

OTHER THREATS AND RISKS THAN FINES

Data processors of personal data (controllers and processors) should not only fear fines. A fine may just constitute an additional bad taste to an already too salted menu.

Personal data processors should take into consideration other risks or threats to their business as a result of GDPR non-compliance than just fines. Here are just a few examples that demonstrate how non-compliance may impact your organization and potentially your business as a whole:

• reputational damage, financial and customer losses after an incident. Notifications of cybersecurity incidents to the individuals, when a breach is “likely to result in a likely to result in a high risk to the rights and freedoms of natural persons” (art. 34 (1) GDPR), reputational dammage causing loss of business opportunities, loss of customers, potential contractual liabilities, breach of contract, (just to name a few), may be much more damaging than a fine. If you read the news, you probably heard about the Talk-Talk disaster, where the unprepared spokesperson of Talk-Talk gave the worst signal ever to their customers when making a public statement about a data breach incident.
• business discontinuity and costs recovery due to an incident. Not only a cybersecurity incident may cause the organization to stop being able to conduct its regular business and have reputational consequences on the market, but it will require to spend a lot of money to conduct investigations, fixing the issue, changing the processes where necessary, put in place stronger measures to prevent further incident, etc. A cybersecurity incident does not mean you are in breach of the GDPR, but with the increasing amount of personal data processed through connected networks, it is likely that a breach will also concern personal data of natural persons, which is regulated by the GDPR. This is where putting in place appropriate technical and organizational measures (which I call “ATOM“) plays a crucial role. In the most optimistic scenario, a well equiped and prepared company may not even require to inform the authorities, nor the individuals. In any case, it remains crucial to discuss and implement a cybersecurity preparedness plan and an incident response plan with the relevant people on a senior level.
• suspension of data flows. While a cybersecurity incident may cause business discontinuity for a relative short period of time, an authority may impose a suspension of data flows. Despite the practical aspects of how an authority may enforce such measure, this might be damaging to the company if there is a business need to process the personal data.
• competitors taking market share. This is a fear that some organizations should think about if they think non-compliance with EU privacy laws are just an academical topic. This is also where the GDPR is a great opportunity.
• long-term ability to do business affected. Suspension of data flows may not be a common sanction given by an authority. However, non-compliance may prevent organizations to continue doing business with EU clients and cease to be competitive, losing market share.
• loss of customer confidence.
• staff losses and senior executive resignations.
• allocation of an extra budget on security, data protection, restructuring, new roles and internal audits.
• etc.

While NOT all organizations around the world falling into the scope of the GDPR will become GDPR compliant as of 25 May 2018, businesses and organizations processing personal data creating particular risks for the data subjects will be in the focus of the authorities. The so-called “Lex Facebook” will motivate authorities to focus on large companies such as the GAFAM and BATX, but also on their providers.

As long as your organization can demonstrate that GDPR readiness is on the top list of priorities and that working hard to achieve full compliance, you may be on the road to safety.

Be prepared, but not scared. Make the GDPR an opportunity, not a blocking point. Don’t fear fines, collaborate, remain transparent, prepare to demonstrate that you are working on compliance and that it is a priority for you. And if you need advice, then hire a specialized law firm.

__________________

By Gabriel Avigdor | NTIC.ch

appropriate organizational and technical measurescybersecuritydata breachdata controllerdata processorData protectionDPIAEuropean CommissionfinesGDPRincidentsPrivacyRegulation 679/2016sanctionstalk talk