Compliance officers recently got their first look at an enforcement action under the EU General Data Protection Regulation — and in a somewhat surprising turn of events, the offense in question didn’t involve a data breach.
Portugal’s national privacy regulator, the Comissão Nacional de Protecção de Dados (CNPD), fined a major hospital just outside Lisbon €400,000 for violating the GDPR. Apparently this is one the first monetary penalty imposed by a European privacy regulator since the GDPR went into effect last May.
The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.
The offense? The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.
For example, the CNPD found that 985 employees of the hospital had the access rights of a medical doctor — when the hospital had only 296 doctors on staff.
Too many staffers overall had access to patient data, and too many staffers had access to more data than they needed.
A €400,000 fine is unwelcome, but usually not disastrous for a global corporation. Still, this case illustrates how a company can run afoul of the GDPR long before a breach happens: by ignoring how business processes and employees actually work within your organization.
Privacy by Design
The GDPR captures that point in Article 25 of its text, “Data protection by design and default.” The crucial sentence is below, and I bold-faced the two most important points:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures which are designed to implement data-protection principles…to meet the requirements of this Regulation and protect the rights of data subjects.
The controller is the business that collects the personally identifiable data, and therefore is responsible for its safe-keeping. The appropriate technical and organizational measures are the controls to keep that data secure.
And when should you implement those controls? At the time of the determination of the means for processing — which is a lawyerly way of saying “when you decide how you’re going to collect this data in the first place.”
To comply with the GDPR, a company must embed privacy and security controls into its business processes from the start, and then ensure that privacy is protected from beginning to end.
In other words, to comply with the GDPR, a company must embed privacy and security controls into its business processes from the start, and then ensure that privacy is protected from beginning to end. That’s privacy by design (“PbD”).
The International Assembly of Privacy Commissioners and Data Protection Authorities codified privacy-by-design as a framework in 2010. People have written whole books on PbD, but compliance officers can boil all that theory down to one overriding objective.
Above all, your organization needs to anticipate privacy risks in your data handling practices (“at the time of the determination of the means for processing”) and work to prevent those risks from happening (“implement appropriate technical and organizational measures”).
What Compliance Officers Can Do
If the goal is to anticipate and prevent privacy lapses, then the question is, “How do we control access as tightly as necessary, and no tighter?” After all, access is what creates privacy risk — and careless access creates a privacy compliance failure.
Frame the question that way, and several points emerge.
CCOs need visibility into the data flows throughout the whole enterprise. Compliance officers will need to see how protected data moves through the organization from start to finish — including any detours through third parties. That requires a strong relationship with business operating units, so they’ll share how those data handling processes work. Then you can work with IT security and other risk management functions to embed protections for that data.
Change management becomes more important. If someone later changes a process and makes it less privacy-by-design (say, by deciding to outsource a data processing task to a third party) that might cause problems, or perhaps not. Either way, compliance officers still need to know that the change has happened. So strong governance over how business processes are changed becomes more urgent in the PbD world.
Think in terms of reducing privacy risk, not securing data. For example, Article 25 of the GDPR suggests “pseudonymization” — masking or removing a person’s name from the data, so the data is no longer personally identifiable. That adds a step early in a data collection process (changing the name), but it reduces privacy risk. So you might need fewer security controls later (say, entering access codes), because pseudonymized data is less of a prize for hackers.
Work With the Enterprise
Return to our hospital in Portugal. In a situation like that, where too many people have too much access, compliance officers are in the difficult spot of arguing for less — either less access, or less convenience. Regardless, the organization is taking something away from employees. We all know how unpopular that can be.
That means the company must have a strong control environment that embraces privacy by design.
Senior executives need to tell the whole enterprise: “We value privacy, and value compliance with the GDPR. So even if the process changes that we need to implement might be a pain, we’re doing it, because it’s important to us.”
That might require a whole new way of thinking at your organization — but then, the GDPR is a whole new way of thinking about privacy.
And as we now see, EU regulators may not wait for a data breach at your organization to prove that point.