By MARIA NICA
A partner of Vernon | David law firm, Maria is also a Certified Compliance and Ethics Professional. She has worked on numerous compliance matters, including implementing and reviewing GDPR programs, fraud and employee malfeasance cases as well as FCPA and DNA investigations.
Every day I notice another headline about a major fine levied against well-known companies for violations of privacy laws. From Facebook’s $5 billion sanction by the Federal Trade Commission to British Airways £183 million penalty for violation of the EU’s new General Data Protection Regulation (“GDPR”), one can see that these cases are getting serious and costly. And did I mention Marriott’s almost £100 million fine after hackers stole the records of 339 million guests? Ouch.
Unless you have been sailing the islands for the past year, you are likely familiar with one of the most discussed legal developments in years; the EU’s implementation of new comprehensive rules with regard to the protection and usage of personal data. Known as GDPR, these rules create the most significant and restrictive privacy laws in the world. And the rules come with a serious enforcement bite, with possible fines of up to Euro 20 million or 4% of the total worldwide annual turnover of the perpetrator, whichever is higher! Coming into effect in May 2018, the new GDPR rules have just finished celebrating their one-year anniversary. So, let’s take a minute to see how they fared in Romania.
In brief, the Romanian Data Protection Authority (“DPA”) has taken a slow approach to enforcement, focusing more on raising awareness of the new rules as well as issuing brief guidelines and FAQs to help businesses better understand what is expected.
So far, DPA has only levied 3 fines under the GDPR. The largest of the fines, of Euro 130,000, was levied against a multinational bank. It was determined that the bank had not done enough to “minimize” the usage and processing of personal data for the intended purposes and did not have adequate safeguards protecting the personal data. The DPA determined that the bank was exposing too much personal information (such as the national identification number and the address) of payment issuers to payment recipients. Over 300,000 people were affected. Although a complicated and technical issue, the lesson here is that when evaluating processes from the point of view of personal data, one shouldn’t fall back on “for sure this is needed” and should seriously consider the extent personal data is really needed for such processes, even in highly regulated business environments.
The next fine, of Euro 15,000, was levied on one of the biggest hotels in Bucharest. A printed breakfast attendance list with information about 46 guests was photographed by an unauthorized person who then published the photo online. The hotel self-reported the incident. It is not clear how the list was exposed, but it is not hard to see how a hostess at breakfast might have left the list of guests and room numbers on the stand at the restaurant’s door. Clearly, the hotel did not take the necessary measures to safeguard the guests’ personal data.
The third fine, of only Euro 3,000, was levied on a consultancy firm found to have inadequate security measures which allowed public access via two links to a set of files that included the personal information, such as their names, addresses, emails, phone numbers, details of transactions performed and so on, of individuals who performed on line transactions with the firm. Although clearly the DPA is not issuing fines at the level of the UK’s regulatory authority (see British Airways and Marriott hotels), I do believe that the DPA will become more active in the following months. In view of this, based on my work on GDPR issues over the last year, I think there are 4 key takeaways that company managers should be aware of.
First, the timeframes for notifying a breach are very short: only 72 hours. Although there are exemptions to this rule, these tight deadlines mean that a data controller needs an effective contingency plan and the corresponding procedures in place today. Practically, there will be little time to consider the issue if (or when) a breach occurs. Action will need to be taken immediately, so be ready.
Second, a “paper policy” will not be enough. A data controller needs to have an effective data protection policy in place and, very important, in order to ensure such effectiveness, must adequately train its personnel.
Third, people are looking for violations and they often know their rights. I am frequently asked if something is a violation of the GDPR. This attitude increases the risk for many data controllers, as more individuals notice violations and won’t hesitate to file complaints with the DPA.
Finally, each data controller needs to have a focused and tailored policy that reflects its activities, the type of data that it is processing as well as the amount of risk associated with such data processing (the needs of a hospital are quite different from those of a business consultant). GDPR policies are not “one size fits all”!