A BREACH OF GDPR –
“He’s making a list, He’s checking it twice,
He’s gonna find out who’s naughty or nice,
Santa Claus is in contravention of the
General Data Protection Regulation (EU) 2016/679”
A collective sigh of relief was exhaled when the General Data Protection Regulation (“the GDPR”) came into force on 25th May last. However, for those impacted by the GDPR the challenge is only beginning, and 25th May 2018 only marked the start of GDPR compliance not the finish! Even the most benevolent of operators, such as Santa Claus, cannot escape the clutches of the GDPR.
Organisations are now operating in a new landscape of data control and management where the “new norm” requires a heightened awareness both amongst senior management and employees of their GDPR obligations with the implementation of stringent controls to appropriately process and manage personal data.
By now, organisations should be familiar with their GDPR obligations and should have implemented appropriate processes and procedures to comply with those obligations and ensure the appropriate management of personal data.
However, this is not the time for organisations to put their feet up and survey a “job well done” on implementing GDPR processes and controls. Vigilance and ongoing monitoring are critical to building a culture of understanding of, and compliance with, the GDPR.
Although the most stringent security measures can be put in place to prevent data protection breaches, human error can circumvent the best in class processes and is the main cause of data breaches in organisations, and the most difficult to prevent.
The consequences of failure to comply can be significant from both a reputational and financial perspective which can include the imposition of significant fines by the Data Protection Commission (“DPC”) and organisations may also be exposed to civil actions by data subjects.
- The DPC has significant powers to ensure compliance with the GDPR and take enforcement action as required.
- The DPC can impose fines on organisations for non-compliance up to €20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year (whichever is higher).
- The higher tier of fines may be imposed for infringements of obligations relating to the core data protection principles such as transparency and accountability, the processing of sensitive personal data and breaches of data subjects’ rights.
- The lower tier of fines (up to the higher of €10 million or 2% of the total worldwide annual turnover of the controller or processor in the preceding financial year) may be imposed for infringements of obligations relating to obtaining a child’s consent, to the communication of a personal data breach to the supervisory authority or the data subject or to the designation, position and tasks of the data protection officers.
Article 83 of the GDPR sets out what the DPC must consider before imposing a fine which includes: –
1. Nature and type of infringement: Consider the number of people affected, the damage they have suffered, duration of infringement, and purpose of processing;
2. Intention Was the infringement intentional or negligent
3. Mitigating factors What actions have been taken to mitigate damage to data subjects
4. Preventative measures How much technical and organisational measures the organisation had previously implemented to prevent the non-compliance
5. Categories of personal data What types of data the infringement impacts (e.g. special categories of personal data)
The Court must approve the quantum of any fines and the affected organisations have the entitlement to appeal the imposition of fines by the DPC.
Since the 25th May 2018 (and as at 16th November 2018) the DPC has logged 3,111 data breach notifications. Of these, the GDPR applied in 2,734. The DPC has also logged 2,168 complaints, of which the GDPR applied in 1,321 cases. The DPC has received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR (25th May) and the pre-GDPR cases are dealt with under the old Data Protection legislation.
On average, approximately 230 data breaches and 220 complaints were received per month last year (2017) and the increased figures since 25th May 2018 are indicative of the greater awareness and focus of organisations on their GDPR obligations.
We have yet to see how the DPC will exercise its powers and the parameters of any fines that issue but it is only a matter of time before we see the imposition of the first fines in Ireland for breaches of the GDPR.
The Data Protection Commissioner, Helen Dixon, speaking at the recent PDP Data Protection Conference in Dublin noted that the volume of complaints has been high since the GDPR came into effect and the DPC will prioritise the more important cases affecting the largest number of data subjects. To assist in the carrying out their statutory duties, staff in the DPC (which is currently at 117), is due to increase to 130 by the end of 2018.
As a sign of what may come to pass in this jurisdiction the Portuguese Data Protection Authority has issued two separate fines totalling €400,000 on a Portuguese hospital in July last for two breaches of the GDPR which related to the unauthorised access to patients’ clinical data. The first fine of €300,000 was issued for failing to respect patient confidentiality and limit access to patient data, and the second was issued for failing to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services, was for €100,000.
An impacted data subject can also take a civil claim for damages against an organisation (being either a data controller or processor) under Section 128 of the Data Protection Act 2018 without lodging a complaint with the DPC although it is likely that, in most cases, an aggrieved data subject will lodge a complaint in parallel to taking any civil action and will await the outcome of the DPC investigation prior to progressing any civil action.
Recently, more than 5,000 employees of Morrisons UK Supermarket claimed damages against their employer, including an allegation of breach of statutory duty under the UK Data Protection Act 1998 which predated GDPR implementation. This related to the malicious sharing (from his personal PC) by a disgruntled Morrisons’ employee of personal financial data of approximately 100,000 employees of Morrisons.
The UK High Court held that there was a sufficient connection between the position held by the disgruntled employee and his wrongful act as to make Morrisons vicariously liable. The Court of Appeal upheld the High Court’s decision.
This decision, although of persuasive authority only in this jurisdiction, will be of concern to employers where they may now find themselves liable for the wrongful actions of their employees and face liability from affected data subjects as a result of the malicious actions of their employees, even where the organisation is compliant with data protection laws
Corrective action and criminal prosecution
The DPC may direct corrective action under Article 58 of the GDPR requiring a non- compliant organisation, for example, to cease processing personal data, to comply with a data access request, and/or bring processing activities into compliance in a specified manner and within a specified time frame.
A non-compliant organisation (and a director, manager, secretary or other officer of that organisation) may also be convicted on indictment to a period of up to five years imprisonment (in addition to a fine) for failure to comply with the GPDR.
It is important for organisations to realise that 25th May 2018 represents the start of their GDPR obligations and not the end. Organisations should ensure that they regularly review their GDPR compliance processes to protect themselves against the reputational and financial risks of non-compliance, where even the best processes and controls can be impacted by human error. Organisations should put appropriate insurance is in place, where possible, to cover liability as well as implementing strong data security and protection measures and ensure appropriate staff training to protect themselves against such actions.
By taking the steps now to understand, evaluate and address current and future GDPR obligations, organisations will be best placed to deal with the various challenges that can come with the broad international scope of the GDPR.
PS: Of course, if Santa has the Data Subjects’ consent for his list, Christmas might be saved!