As a new year ramps up, legal and data privacy professionals are keeping a close eye on activity among data protection authorities.
This year will mark the first full calendar year of active enforcement of the European Union’s data protection law, the General Data Protection Regulation (GDPR) and will bring the activation of new data protection and cybersecurity laws in the U.S. and globally, making it another year of unrest and uncertainty for data privacy risk.
So far, 91 reported fines have been imposed under GDPR with a number of fines and penalties handed down to multi-national corporations from a range of regulatory bodies. In looking at a summary of the most severe actions, and the information governance (IG) and security missteps that caused them, we can glean insights about what’s likely to come in 2019, and how legal and data privacy teams can strengthen their organization’s risk position accordingly.
There are a number of takeaways these incidents can teach us for moving forward and building better practices in 2019.
Actual Data Breach Irrelevant
First, it’s important to remember that regulators can take action whether or not a data breach has occurred, as evidenced by the €50 million fine imposed by the CNIL not for a data breach but relating to the processing of personal data for advertising purposes without first obtaining consent.
Moreover, a data breach is not necessarily a breach of GDPR. A recent airline breach in the UK is a good example—the company was hacked and suffered a breach that thus far has not been found to be a violation of GDPR. However, an organization that is in breach of data protection laws can be penalized, even if sensitive data has not been leaked or fallen into the wrong hands.
It’s also notable that regulators are demonstrating a willingness to penalize organizations to the fullest extent to of the law; and these penalties are not limited to fines but may include other corrective actions.
Physical European Presence Not Required
Further, an organization does not need to have a physical presence in Europe to be impacted by the GDPR. Recent incidents make clear that regulators will indeed enforce their authority under territorial scope, and any corporation with a footprint in Europe, whether they are physically there or not, needs to be prepared. Still, cooperation and good faith can go a long way, and regulators have shown that they may be lenient with organizations that are transparent and cooperative.
Broadly speaking, most of the issues we’ve seen to date have resulted from poor IG and failure to take proactive steps to bring data under control. As illustrated by the matters outlined above, the financial and operational impacts of a GDPR enforcement action are significant. And the risk reaches far beyond data privacy. IP theft is one prime example, which in recent cases has proven to result in corporate financial losses exceeding $1 billion.
Enforcement Actions in 2018
Below are some of the most notable data privacy enforcement actions in 2018:
- Following a probe into a major technology corporation, regulators in Europe have indicated they may issue a US$1.6 billion fine for a data breach impacting 50 million users. The same organization was also given a £500,000 fine (the maximum allowed under the UK’s Data Protection Act (DPA) of 1998) from the Information Commissioner’s Office (ICO) for violation of data protection laws affecting an estimated 87 million people. The ruling cited that the organization unfairly processed personal data and “failed to take appropriate technical and organizational measures against unlawful or unauthorized processing of personal data.” Notably, the ICO mentioned that the fine would have been considerably higher if the violation had fallen under the scope of GDPR.
- The ICO in the UK issued another £500,000 fine against a major financial industry organization for failing to protect the personal information of up to 15 million UK citizens during a cyberattack. After accounting for fines, legal fees and IT and data security following the incident, the organization has paid out more than US$242 million for the single matter to date.
- Consumer groups across the EU called for action under GDPR and filed complaints with data protection authorities against a major technology corporation. The complaints alleged that the corporation is illegally tracking and collecting user data without proper consent.
- A multinational mobility company was fined more than £300,000 by the British ICO and €600,000 by the data protection authority in The Netherlands for a data breach that exposed names, mobile phone numbers and email addresses for more than 57 million global customers and employees. The ICO was publicly harsh against the organization, calling the event a complete disregard for the privacy of those impacted.
- A small app developer in Germany was one of the first fined under GDPR when it received a €20k fine for failing to follow security best practices, including hashing, to protect user passwords. The oversight resulted in a data breach. While the size of the fine may seem small to a large corporation, it was severe in proportion to the company’s revenues. A larger fine could have been given under the law, but citing the developer’s cooperation, authorities offered some leniency.
- The ICO in the UK issued a formal GDPR enforcement action against a Canadian data analytics firm, demanding that the organization “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
- The ICO alleged that the firm was “processing personal data in a way that data subjects were not aware of, for a purpose they would not have expected, and without a lawful basis for processing.”
- In November, France’s data privacy regulatory body, the Commission Nationale de L’Informatique et des Libertés (CNIL), imposed GDPR consent requirements for companies in the online advertising industry.
- Among the first to issue fines under GDPR, data protection authorities in Portugal doled out a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data.
The importance and value that proactive and holistic IG brings cannot be overstated. Legal and data privacy professionals need only to point to the billions of dollars that are being lost due to poor practices to make a business case to their executive bench and begin getting meaningful programs off the ground.
Louise Rains Gomez is a managing director in FTI Consulting’s Technology segment. She brings more than 10 years of experience in litigation, e-discovery and information governance, with a focus on helping clients reduce costs and alleviate their broad data management challenges.
Deana Uhl is a senior director in the FTI Technology practice and is based in Houston. Uhl provides consulting to corporate clients, with a focus on designing, implementing and enabling change management for information governance, data privacy, data security and e-discovery .