Products and Solutions

What EU-GDPR Fines Tell Us about Privacy Management

Jul 28, 2020 | by Marshall Toburen |
The word GDPR is in the center with lock icons appearing connected

The EU-General Data Protection Regulation (GDPR) became enforceable beginning 25 May 2018 with potential fines up to the greater of €20 million or four percent (4%) of global turnover (revenue) for the preceding financial year. Since its enforcement date, over 350 fines have been imposed by EU Data Protection Authorities totaling, in aggregate, more than €468 million (approximately $523 Million USD).  The EU-GDPR is widely regarded as one of the most comprehensive privacy laws in the world and has become the standard on which other privacy laws are being framed, including the California Consumer Protection Act 2.0, Brazil’s General Law for the Protection of Personal Data, the Dubai International Financial Centre Data Protection Law, and the Canadian Personal Information Protection and Electronic Documents Act, to name a few. 

According to the February 2020 United Nations Conference on Trade and Development, over 75% of countries globally have in place, or are drafting, privacy legislation. In addition, 49 of the 50 U.S. States have at least one privacy-related law (157 State laws in total) and the U.S. Federal government has nine privacy laws in place, although none of the Federal laws are yet as comprehensive as the EU-GDPR.

Many organizations subject to multiple privacy obligations have adopted the best practice to design and operate their privacy programs consistent with the most comprehensive and onerous law to which they are subject.  By adopting this best practice, organizations are generally able to demonstrate compliance across all their privacy obligations without operating a separate privacy program for each legal jurisdiction.

Because the EU-GDPR is regarded as the standard to which many privacy laws aspire, it is interesting and instructive to understand the circumstances that have led organizations to be fined for violating the regulation.  The table below is compiled from all fines disclosed and recorded since the regulation’s inception, depicting the top five types of fines.

Source: GDPR Enforcement Tracker (through 5/31/2020)

The highest number of fines (105) were incurred due to organizations having an insufficient legal basis for data processing. The second-highest number of fines, but the greatest amount of fines in aggregate, were imposed upon organizations with insufficient technical and organizational measures to ensure information security. There have been 63 fines imposed on organizations deemed to have insufficient technical and organizational measures to ensure information security, representing an average fine of approximately €5.3 million ($5.9 million). 

Of all the privacy requirements, establishing sufficient technical and organizational measures to ensure information security is likely the most difficult and time-consuming for organizations to achieve.  Organizations looking to avoid fines for violating this obligation must positively demonstrate on an on-going basis, the adequacy of the design and effectiveness of their internal control framework to ensure privacy. Some of the characteristics of such a program include:

  • Comprehensive Scope: The program would consider all geographies where the organization does business, all products and services, and all business processes, whether electronic or physical. It would include existing operations as well as capture and evaluate all new and changing geographies and activities, including mergers and acquisitions.
  • Granular data governance: It is essential to know who, what, where, how and why information is being collected, processed, stored and shared. It is not possible to demonstrate the sufficiency of technical and organizational measures to ensure information security if you do not understand this context and how much information is involved.  Granular data governance is not only about understanding the organization’s data at a point in time but to understand changes in collection, usage, storage and sharing on an on-going basis.
  • Risk management lifecycle based.  A risk management lifecycle enforces the discipline to:
    • Identify Risk: Identifying privacy risk is aligned closely with granular data governance.  You must understand everywhere personal information is being collected, processed, stored and shared with third parties; what kind of personal information is being collected; how sensitive the information is to individual’s privacy and how it is being used. If multiple sources of private information are being collected and combined for some reason, identifying risk also means identifying these data combinations.
    • Assess Risk– Assessing privacy risk means applying a consistent approach to determining the likelihood and impact to the organization and to individuals should the information be accessed, altered, destroyed, or become unavailable as a result of errors or unauthorized actions. Privacy risk assessment is not simply a consideration of the cost to the organization of a breach, fines and sanctions, remediation costs, litigation costs and reputational damage. Organizations must also understand the likelihood and impact to potentially affected individuals. Privacy risk assessment must focus on the privacy of the individual(s) not only because laws like EU-GDPR, and privacy standards like NIST Privacy Framework, require it but the assessed amount of risk to an organization is often not a proxy for risk to the individual.
    • Evaluate Risk: Evaluating risk requires organizations to compare the likelihood and impact of privacy risk to the organization’s risk appetite, and tolerance and in terms of privacy risk to the individual. Only when risk is evaluated can organizations effectively prioritize limited resources to treat those risks which exceed acceptable levels. 
    • Treat Risk: Treating privacy risk means having appropriate technical and organizational measures in place to avoid, transfer and/or mitigate the likelihood and impact of each threat-source introducing privacy risk. Weaknesses in this area are the source of the larger fines noted in the table above related to insufficient technical and organizational measures to information security. Examples of technical measures to manage information security include: network segmentation; communication protocols; firewalls; encryption; multi-factor authentication; vulnerability scanners; data leakage prevention; intrusion detection; malware protection; file integrity monitoring; and email malware scanners. Examples of organizational measures to manage information security include: information security policies and procedures; employee hiring and vetting; employee privacy training; physical data handling and destruction practices; patch management; internal controls to ensure any and all data input, processed, and output is authorized, accurate, timely, and complete; disaster recovery and resiliency planning; SDLC security reviews; third party risk management; and incident management.  The objective of risk treatment is to bring all privacy-related risk scenarios within acceptable levels.
    • Monitor Risk:  Once all privacy risks have been identified, assessed, evaluated and treated, the organization’s privacy risk profile should be monitored. Privacy risk profiles are not static. Risk changes depending on transaction volumes, business activities (such as with new and changed products and services, business process, third parties, IT infrastructure and data usage), changes in internal control effectiveness and the motivations and actions of external actors. Optimally, organizations capture all changes within their privacy risk management lifecycle and establish early warning, continuous monitoring, indicators to detect a breakdown in any technical and organizational risk treatments.
  • Program Governance:  Management owns their organization’s privacy risk management lifecycle and associated internal control framework. Line managers and risk managers (the first and second lines of defense) should be performing tests and making periodic formal assertions regarding the adequacy of the design and operation of the privacy program.  In addition, independent audit (the third line of defense) should be opining on the adequacy of the design and operation of the privacy program. Exceptions and issues raised from assertions and independent audit should be raised to appropriate senior management and resolved in a timely manner depending on the amount of risk. This governance process should inform the frequency by which the overall privacy program is refreshed.
  • Privacy Program Assurance: In the end, organizations can avoid incurring privacy-related fines only if they can provide positive assurance to stakeholders (such as data protection authorities and regulators) that the organization’s privacy program is designed and operating properly. This requires providing tangible documentation that the organization has established proper scope, data governance, risk management life cycle and program governance. 

RSA is uniquely positioned to help organizations with privacy program management. Through the use of the RSA Archer Suite for Integrated Risk Management, organizations can establish the scope of their privacy program, establish a granular data governance process, apply a consistent privacy risk management lifecycle (including for third parties and business resilience), enable strong program governance and produce tangible documentation to provide assurance of the design and effectiveness of the organization’s privacy program. In addition, RSA can enable many of the technical and organizational measures necessary in privacy programs today including: multi-factor authentication using RSA SecurID Access, identity governance using RSA Identity Governance & Lifecycle, network anomaly detection and management from RSA NetWitness Platform, and omnichannel fraud management from RSA Fraud & Risk Intelligence.