GDPR: Lessons Learned
This came into effect on 25th May 2018, where every organization that processes personal data of EU citizens or residents, or offers goods and services to such people, had to be compliant even if they were not part of the EU.
The fines for any violations are very high, with a maximum penalty of 20 million euros or 4% of global revenue, whichever is the highest. The data subjects also have the right to seek compensation in addition to the fine.
What happened after GDPR came into effect?
Since GDPR came into effect, many companies started to invest heavily in aligning their business practices with GDPR. One of the reasons to have high penalties was to motivate businesses to invest in implementing controls. If the fine is less than the investment required, companies can simply choose to pay the fine. Therefore, on the date of effect, some companies completely blocked users from the EU region citing that GDPR is an additional burden to their business.
The non-profit organization NYOB formed by Max Schrems sued Facebook and its subsidiaries Whatsapp and Instagram, and Google hours after midnight on 25th May 2018 (date of effect). Since then, close to 293 million euros have been issued as fines on various levels, with Google’s 50 million euro fine being the largest to date. There have been around 750 fines and penalties issued by the authorities within the EU so far under GDPR.
What are the lessons we can learn from the incidents so far?
There are many learnings we can gather by studying the GDPR cases reported. Some of these are specific to the domain they belong to while many others are applicable across multiple domains. For instance, medical records of a person are identified under special categories of Personal data in Act 9 of GDPR. Therefore, applications used in the health domain need to have additional controls in place to be GDPR compliant.
Listed below are some of the questions we can ask ourselves when ensuring that IT systems are GDPR compliant. These questions have been identified by studying some of the incidents reported so far that resulted in very large fines.
Do we have proper authorization controls implemented? Are we only exposing data that each role demands to perform its function?
We should always ensure that the system exposes data only to the parties that have a legal basis to access them. In 2018, Centro Hospitalar Barreiro Montijo (CHBM) was fined 400,000 euors, when the Sindicato dos Médicos da Zona Sul (Medical Workers Union of the Southern Zone) reported that non-clinical staff were using ‘medical’ profiles to access CHBM’s computer system. During the investigation, it was found that 985 users were registered on the system with ‘Physician’ permissions, but only 296 physicians were actually employed.
Are we synchronizing data with third party systems? Is the subject aware of this and given proper consent?
In modern days, personal data is stored on different systems providing different services. We tend to think that if we have access to all their information, it will allow us to provide a better service. But this is a violation of that person’s privacy and can even result in unfavorable outcomes to the person involved.
In 2019, Hospital Campogrande DE was fined 10,000 euros when it synchronized data such as MRI scan reports from another hospital. This case occurred when a patient who had an MRI scan done on one of his legs in 2019 due to a work-related injury at this hospital also had the results of a previous MRI scan done in 2018 linked to the latter MRI.
This was done without the patient’s consent or proper medical justification, causing the patient to lose the medical insurance coverage to the work-related injury since there was an already existing injury in the same leg and the incident that caused the injury couldn’t be considered an occupational accident.
Are we only processing data that is required for the function? Do we ensure that only the relevant parties can see this data?
When processing data, it is important to ensure that only authorized parties can see the data, with permission from the subject. This includes protecting the data in transit as well. SC Medicover S.R.L in the health domain faced a fine of 2,000 euros when medical data of an individual was sent to a wrong recipient.
Do we get consent from subjects for data processing? If so, do we keep the consent status updated across the entire business?
It is imperative that we take the consent from the user to process their personal data. This is crucial when using the data especially in marketing. The subjects should be given the option to revert the consent given at any time and this should be updated and taken into effect within the agreed time.
That means if a user decides they do not want to receive any advertisements, those advertisements should not be sent to the user. Italian Telecom (TIM) received a fine of 28.7 million euros in 2019 when call center companies commissioned by TIM targeted non-users for an aggressive marketing campaign without proper consent or legal basic. Some users were contacted up to 155 times in a month. The consent taken from the users was on paper and was not immediately updated when a user revoked their consent.
Can we collect data from the user without explicit consent from the user? Are we forcing consent from users for processing necessary services offered to the user?
It is important to get explicit consent from the users. If the consent is given by agreeing to a very long terms and services document that contains vague conditions or checkboxes selected by default, it will not be considered as explicit consent. Also the users should not be forced to give consent in order to receive the services offered.
Google faced a fine of 50 million euros in 2018, which is the largest fine issued so far because the transparency principle was violated when a user configured an Android device. The description on personalized services in terms of content was vague and spread across multiple documents with many navigation links. The consent was not explicit as the users were asked to consent to all processing operations carried out by Google and the option was pre-selected by default.
Do we apply all the latest security patches to ensure the system is safe from vulnerabilities? Do we take necessary security precautions to prevent cyber-attacks?
Even if all controls are in place, if the system is vulnerable then a malicious attacker can gain access to the system and expose the private data of users. It is the responsibility of the company to protect the data and it’s important to take precautions to prevent any attacks and ensure that it is safe from vulnerabilities.
If you are acquiring a new company or using a third-party system, it is vital to scan for possible vulnerabilities and fix them. When Marriott International in hospitality domain acquired Starwood Hotels and Resorts Worldwide Inc in 2014, it inherited a vulnerability which resulted in a cyber-attack that exposed personal information of 339 million individuals. The attack was identified in 2018 and resulted in a 23.8 million fine.
Do we comply to a subject’s requests to modify, hold or erase data within the acceptable time frame?
As per Article 17 Right to be forgotten, the system should be able to handle requests from users to modify, erase or hold the information.
Kutxabank, S.A received a fine of 100,000 euros because the bank failed to comply to a request of data erasure. The previous customer had exercised his rights to be erased. Later, when the same person tried to open an account at the same bank, he was informed that he could not open an account because his data was still blocked. The customer was also informed that to open an account, he must unblock the data. Temporarily blocking the data does not correspond with the right to be erased. Deleted or blocked data should not be processed again even if it is for the same purpose.
Do we retain personal information after it is not required for the services provided?
Data should be erased or anonymized (if the data is needed for statistical purposes) once it outlives its business value. The data retention period should be mentioned explicitly to the user. One of the violations that triggered Google’s fine was that the data retention period was not clear at the time of obtaining consent and did not provide users the option to specify a retention period.
It is important that we learn from the mistakes of others so that we do not make them as well. A classic case of lessons not learned was when Marriott International was subject to another attack less than 18 months later. On 31st March 2020, the company announced that financial information of 5.2 million guests had been compromised through a guest service application. This second attack happened using the login information of two employees. Therefore, it could be considered as a human error than a vulnerability.
What happened with Marriott International shows that it is not sufficient to have a correct IT system and a knowledgeable data officer. It is also important to provide trainings to all employees who are involved in data handling at any stage about the protocols.