GDPR Enforcement: Be Proactive with Your Compliance Obligations
GDPR has been in effect for over 2 years, and enforcement actions are starting to become more widespread with heavy penalties. For instance, the United Kingdom’s Information Commissioner’s Office (“ICO”) levied large fines against Marriott (£99 million or $110.2 million) and British Airways (£183.5 or $204 million) for recent data breaches, and violations of GDPR. Data Protection Authorities have ramped up impending investigations, and it seems as though those authorities are more likely than ever to exert their regulatory authority on corporations for improper data and privacy procedures to attain large fines and penalties. Corporations and corporate counsel’s need to be vigilant in their data privacy programs to stay alert because these large fines are evident that Data Protection Authorities are not messing around. GDPR was drafted to -protect the privacy rights of any data subject from the European Union, allowing them the right to know what data corporations retain about them and to request that data be deleted if they so desire. These data subject requests have become commonplace for many large companies who have certain protocols in place to handle them. Many smaller companies do not have such a system, and they are putting themselves at great risk of being caught in a Data Protection Authorities regulatory action for lack of compliance. Fines can be severe, and in many instances are tied to the world-wide revenue of the company.
As more privacy laws come into effect, larger companies need to ensure their vendors at all levels of the business are able to comply with data subject requests to mitigate inadvertent disclosure of data subject’s data by accident. Alternatively, small businesses need to ensure they fully understand their regulatory compliance obligations under these privacy laws and not take them for granted. A possible security breach or inadvertent disclosure of information regulated under the privacy regimes is really only one-click away while using the internet.
As an action plan, large and small businesses can ensure their compliance with GDPR and other current or upcoming privacy regulations by developing a series of procedures:
- Update Consumer Privacy Policies: Work with experienced privacy legal counsel to routinely review privacy policies at least yearly to ensure processes are compliant and the terms and conditions are up to date. Privacy laws are ever evolving and change regularly throughout the year. Stay attentive and be proactive with your legal counsel.
- Develop Robust Incident Response Structures: GDPR, as well as many other privacy laws, require notifications to be sent to customers within a strict timeframe. Missing one of these deadlines can put you in the crosshairs of a regulatory audit. Incident response plans should use the legal timeframes contained in these privacy laws as a minimum requirement to act and be proactive in responding to an incident. Nowadays, not having a written incident response plan is not an option. If you do not have one now, seek legal counsel immediately.
- Notify Consumers as Policies Change: As privacy laws change and organizations update their policies, businesses need to notify their customers of those changes in real-time. In many instances, regulatory authorities require companies to notify customers as soon as the policy is finalized because processing data generally changes with each of these updates. If you are not doing that now, speak to experience legal counsel to help you develop a plan.
- Understand All Data Flows in Your Company (and continuously update your company’s data map): Many privacy laws require organizations to understand how and where their data is located and how it is moved and processed throughout the consumer relations. Businesses must know what data they are in possession of and what they have access to, whether it is sensitive or not. If your business has not done a data mapping exercise, or it has been some time since you did the last one, you may be in violation of GDPR as well as other privacy laws, which require continuous updates and compliance. Organizations need to know where all their data resides and how it moves. This knowledge will help with incident response as well as any regulatory audit.
- Track developments of other privacy laws: Lastly, always stay aware of what the privacy law landscape looks like. Understand what laws are in effect, what laws are being implemented, and what laws are being drafted or are up for consideration for legislation. Organizations large and small should work with experienced privacy legal counsel and other risk functions to track the development and implementation of new privacy laws and understand their effects on the organization.
Remember, hiring experienced privacy legal counsel is necessary to navigate GDPR’s requirements as well as other privacy laws in order to understand all the risks involved. Fines for noncompliance can reach millions of dollars. Choose a law firm with privacy law expertise and experience.