Regulators sympathetic to GDPR growing pains but expect maturity

Regulators who spoke at the recently concluded Compliance Week Europe conference in Amsterdam acknowledged businesses were still very much in the “awareness” phase of implementation of the EU’s complex new set of data privacy rules, but that doesn’t necessarily mean they’re shielded from sanctions.

In fact, data protection authorities (DPAs) from at least 23 of the 28 EU member states have issued fines under the GDPR, three of which have topped $50 million. The exact number of enforcement actions is not known, but it’s more than 100.

The question you might be asking, then, is if you’re among the many organizations still trying to fully grasp the rules and wrap your head around all of the data your organization collects, should you expect the “carrot” of guidance from regulators or the “stick” of enforcement if you’ve been found to be in violation?

“If there is a complaint, we’re going to investigate,” insisted Ventsislav Karadjov, deputy chair of the European Data Protection Board and chairman for the Bulgarian DPA. “We cannot say there is a grace period and we’re not going to sanction you. If the infringement is very severe, and it concerns a lot of people, the remedy for these people would be a sanction.

“But if we identify that the [data] controller is responsible and has done his (or her) utmost to be compliant, then there is a good opportunity that the controller is not sanctioned, but with some of the instruments of the regulation will be advised what to do, how to do it, and be prescribed a period of time to take actions. After that time, if he doesn’t undertake the actions, he’ll be sanctioned.”

In other words, if you can prove you’ve demonstrated a good faith effort at implementing the rules and understanding which data is collected across your organization and for what purpose, you’re much more likely to get the carrot than the stick.

Ali Shah, the head of technology policy for the U.K.’s DPA, the Information Commissioner’s Office (ICO), took issue with the carrot versus stick characterization, saying it’s “more nuanced” than one or the other, but agreed with the idea that the more you can show efforts to protect data across your organization, the better you’ll be viewed in the eyes of regulators.

“If a complaint comes in or we determine there’s an issue, we need to investigate and to understand,” said Shah. “Sometimes the answer is talking to the organization and advising them on how to resolve the issue. Or, depending on the nature of the issue, it could lead to a compulsory audit, stop notices, fines—all of the range of enforcement powers.”

Specifically, regulators will look at whether you’re taking a mature approach to how you manage data.

“We understand it’s a journey, but what we won’t accept is that the work is not being done in all parts of the organization to try and become more mature,” Shah said. “You have to be on that journey and demonstrate that.”

Empower your DPO

An engineer by trade with a specialty in machine learning, Shah has been with the ICO for just over nine months and brings a valuable outsider’s perspective. He said a company’s data protection officer (DPO)—a role required for every company impacted by the GDPR—is critical, and that whoever fills those shoes needs to be empowered by their organization’s leadership in order to be truly effective.

“If a complaint comes in or we determine there’s an issue, we need to investigate and to understand. Sometimes the answer is talking to the organization and advising them on how to resolve the issue. Or, depending on the nature of the issue, it could lead to a compulsory audit, stop notices, fines—all of the range of enforcement powers.” 

Ali Shah, Head of Technology Policy, Information Commissioner’s Office 

“It’s a tough environment,” Shah said. “Not only do you have to wrestle with what the law says, but you also have to go and convince your leadership about why this matters, alongside all of the employees who are dealing with your customers and the different ways that your customers might be interacting with you. That can feel like a tall order.”

It’s an especially tall order without headline-grabbing enforcement actions that can scare senior management into empowering the compliance function. The ICO has issued the two biggest fines under the GDPR so far—£183 million (U.S. $230 million) for British Airways and £99 million (U.S. $124 million) for Marriott—both in the wake of massive data breaches. Aside from those two, there haven’t been the kind of big fines many predicted for 2019. Thus, DPOs in some organizations face an uphill battle in their quest both to take stock of all the data the company holds on customers (and whether they need to hold it) and to implement the data protection measures required by the GDPR.

Shah’s advice for DPOs: “Start to make the rest of the organization understand it’s no longer possible to tick compliance and have it rest just on the data protection officer. This has to go upwards and downwards and across the board. Raising awareness within the organization about why it’s necessary for everything from product and engineering, through to the InfoSec security teams through to the leadership. Being aware of the intrinsic nature of personal data in your business and what risks that might carry if there is noncompliance, that’s important.”

Find your data privacy champions

That perspective was backed up by Angela Bardenhewer, the DPO at Fusion for Energy, an EU institution that is governed by a slightly different set of rules from the GDPR but that is generally very similar.

She pointed out most of the principles of the GDPR are not new, “but what has really been changed is this shift of culture” that is required.

Her strategy is to delegate across her organization, to essentially create data privacy coordinators across all silos of the business—HR, finance, procurement, product management, etc.—and hold them accountable. It’s a strategy endorsed by Shah and Karadjov wholeheartedly.

“If you identify like-minded people in product and engineering and elsewhere, they will act as your champions because they will feel motivated,” Shah said. “Fundamentally, most people just want to do the right thing, but they’re not necessarily going to get energized by conversations about compliance. But they will get energized if you say, ‘Let’s work on your product idea and try and [figure out] how you can achieve what you want to achieve with your innovation but make sure it fits on what we all have agreed as a society about the laws that represent us.’ ”

During the panel discussion, Karadjov briefly took off his regulator hat and put himself in the shoes of a DPO, offering examples of the questions he’d ask his company and how he would approach one of the most difficult jobs in compliance.

“First thing is, you need to have a clear understanding of all of the activities of the business,” he said. “You have to understand that clients are data subjects as well. What is the minimum data you need to provide the service you’re providing? DPOs should talk to departments to see if [the personal data] they are collecting is reasonable. Is it excessive? Keep in mind, every data subject may request this data to be deleted.

“Second, you have to know what every department is doing, what data they are collecting, for what purposes, to whom they are delivering the data outside the organization, and why they are doing it. And you have to document all of this.”

It’s a daunting task, but one Karadjov explains will benefit the company in a number of ways. Not only will the DPO be able to create a comprehensive data blueprint and perform a risk assessment for each department, but he or she will also be able to respond promptly to data subject requests: “You’ll immediately know on what legal grounds you are processing this data and can immediately respond instead of doing the analysis on each request.”