Advice that was helpful during your school days is also relevant when it comes to complying with the General Data Protection Regulation (GDPR): do your homework because it counts for part of your grade! In the case of the GDPR, your homework assignments involve developing and implementing privacy by design measures, and making sure these policies are published and known about by management.
Taking good notes and doing homework assignments came to my mind when reading the new guideline published last month on GDPR fines. Here’s what the EU regulators have to say:
Rather than being an obligation of goal, these provisions introduce obligations of means, that is, the controller must make the necessary assessments and reach the appropriate conclusions. The question that the supervisory authority must then answer is to what extent the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing, seen in light of the obligations imposed on them by the Regulation’
The supervising authority referenced above is what we used to call the data protection authority or DPA, which is in charge of enforcing the GDPR in an EU country. So the supervising authority is supposed to ask the controller, EU-speak for the company collecting the data, whether they did their homework — “expected to do” — when determining fines involved in a GDPR complaint.
Teachers Know Best
There are other factors in this guideline that affect the level of fines, including the number of data subjects, the seriousness of the damage (“risks to rights and freedoms”), the categories of data that have been accessed, and willingness to cooperate and help the supervisory authority. You could argue that some of this is out of your control once the hackers have broken through the first level of defenses.
But what you can control is the effort a company has put into their security program to limit the security risks.
I’m also reminded of what Hogan Lovells’ privacy attorney Sue Foster told us during an interview about the importance of “showing your work”. In another school-related analogy, Foster said you can get “partial credit” if you show that to the regulators after an incident that you have security processes in place.
She also predicted we’d get more guidance and that’s what the aforementioned document does: explains what factors are taken into account when issuing fines in GDPR’s two-tiered system of either 2% or 4% of global revenue. Thanks Sue!
Existing Security Standards Count
The guideline also contains some very practical advice on compliance. Realizing that many companies are already rely on existing data standards, such as ISO 27001, the EU regulators are willing to give some partial credit if you follow these standards.
… due account should be taken of any “best practice” procedures or methods where these exist and apply. Industry standards, as well as codes of conduct in the respective field or profession are important to take into account. Codes of practice might give indication of the level of knowledge about different means to address typical security issues associated with the processing.
For those who want to read the fine print in the GDPR, they can refer to article 40 (“Codes of Conduct”). In short it says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.
Based on this particular GDPR guideline, it will soon be the case that those who have done the homework of being PCI compliant will be in a better position to deal with EU regulators.
The GDPR, though, goes a step further. It leaves open a path to official certification of a controller’s data operations!
In effect, the supervising authorities have the power (through article 40) to certify a controller’s operations as GDPR compliant. The supervising authority itself can also accredit other standards organization to issue these certifications as well.
In any case, the certifications will expire after three years at which point the company will need to re-certify.
I should add these certifications are entirely voluntary, but there’s obvious benefits to many companies. The intent is to leverage the private sector’s existing data standards, and give companies a more practical approach to compliance with the GDPR’s technical and administrative requirements.
The EDPB is also expected to develop certification marks and seals for consumers, as well as a registry of certified companies.
We’ll have to wait for more details to be published by the regulators on GDPR certification.
In the short term, companies that already have programs in place to comply with PCI DSS, ISO 27001, and other data security standards should potentially be in a better position with respect to GDPR fines.
And in the very near future, a “European Data Protection Seal” might just become a sought after logo on company web sites.
Want to reduce your GDPR fines? Varonis helps support many different data security standards. Find out more!