Takeaways from “GDPR Briefing”

Individuals from various ICT businesses joined us for the “GDPR Briefing” training with Armend Kumnova – a certified GDPR specialist, who has worked over seven years in the banking sector as a Data Protection Officer.

“GDPR Briefing” elucidated vital concepts for the General Data Protection Regulation in an executive summary fashion. Representatives from various ICT businesses joined us for the two-hour event to familiarize with the legislative framework and the measures one should take to meet compliance requirements. This article will lay out the main takeaways from the briefing session.

Regulation Overview

While it is true that there have already been numerous cases since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective for more than a year now, the true effect has yet to be felt as the work to overcome its regulatory challenges has barely begun. Cases that are submitted to the European Data Protection Board (EDPB) take a while to process due to the lengthy legal battles and considering that most of the companies appeal the decision of regulatory bodies. As stated in our previous article, financial penalties over the course of one year had reached an amount of approximately €56 million. However, nearly 90% of that number is due to Google’s €50 million fine in France, on 21 January 2019, from the National Data Protection Commission (CNIL) for lack of transparency, inadequate information and lack of valid consent regarding the advertisements personalization.

🇫🇷 Google was fined €50,000,000 for lack of consent on advertisments;
🇵🇱 A data broker company was fined €220,000 for failing to inform citizens that their data was being processed by the company;
🇩🇪 A social network operator was fined €20,000 for failing to secure users' data
— Sense (@Sense_CRC) July 3, 2019

Nevertheless, as per July 2019, we already have two enormous cases from U.K.’s Information Commissioner’s Office (ICO), where British Airways and Marriott International are facing a whooping fine of €204.65 million and €110,2 million respectively due to past data breaches. To put it on perspective, two seperate events in less than four days have resulted in facing penalties fives times the amount of total cases from 25 May 2018 to 25 May 2019. The instance of the American multinational hospitality company, Marriott, is interesting because the data breach (which is one of the biggest breaches known to date) happened in 2014 – before GDPR was even approved, let alone enforced. Nonetheless, the company learned about the breach of up to 383 million guest records later in 2018, hence why the case has fallen under the umbrella of the GDPR. That certainly changes the risk equation, as retroactive security is, alas, still beyond our ability today.

At a Glance

It is a fact that the GDPR has shaped the way entities handle personal data. While a lot of companies have taken measures since its enforcement, individuals should be familiar with the much more broader existing consumer rights. The following document servers as an executive summary of the main points for the regulation itself.

GDPR Fact Sheet

Businesses’ Responsibilities

Companies and organizations should have the following points in mind for proper GDPR implementation:

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
User testing is a good way to get feedback on how effective the delivery of your privacy information is.
You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Furthermore, people who work in the Information Technology department should make sure to gather as much logging as possible. Most of data breaches / hacks are typically noticed after a period of time; and according to the GDPR, you have 72 hours to report an incident from the time you get to know about the breach (not to be confused with the actual time of breach). The best proof consists of events that are repeatedly collected and recorded.