How GDPR Sanctions Can Happen Without a Breach

Matt_Kelly.png

Compliance officers recently got their first look at an enforcement action under the EU General Data Protection Regulation — and in a somewhat surprising turn of events, the offense in question didn’t involve a data breach.

Portugal’s national privacy regulator, the Comissão Nacional de Protecção de Dados (CNPD), fined a major hospital just outside Lisbon €400,000 for violating the GDPR. Apparently this is one the first monetary penalty imposed by a European privacy regulator since the GDPR went into effect last May.

The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.

The offense? The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.

For example, the CNPD found that 985 employees of the hospital had the access rights of a medical doctor — when the hospital had only 296 doctors on staff.

Too many staffers overall had access to patient data, and too many staffers had access to more data than they needed.

A €400,000 fine is unwelcome, but usually not disastrous for a global corporation. Still, this case illustrates how a company can run afoul of the GDPR long before a breach happens: by ignoring how business processes and employees actually work within your organization.

Read More: General Data Protection Regulation (GDPR) | What You Need to Know and How to Prepare

Privacy by Design

The GDPR captures that point in Article 25 of its text, “Data protection by design and default.” The crucial sentence is below, and I bold-faced the two most important points:

The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures which are designed to implement data-protection principles…to meet the requirements of this Regulation and protect the rights of data subjects.

The controller is the business that collects the personally identifiable data, and therefore is responsible for its safe-keeping. The appropriate technical and organizational measures are the controls to keep that data secure.

And when should you implement those controls? At the time of the determination of the means for processing — which is a lawyerly way of saying “when you decide how you’re going to collect this data in the first place.”

To comply with the GDPR, a company must embed privacy and security controls into its business processes from the start, and then ensure that privacy is protected from beginning to end.

In other words, to comply with the GDPR, a company must embed privacy and security controls into its business processes from the start, and then ensure that privacy is protected from beginning to end. That’s privacy by design (“PbD”).

The International Assembly of Privacy Commissioners and Data Protection Authorities codified privacy-by-design as a framework in 2010. People have written whole books on PbD, but compliance officers can boil all that theory down to one overriding objective.

Above all, your organization needs to anticipate privacy risks in your data handling practices (“at the time of the determination of the means for processing”) and work to prevent those risks from happening (“implement appropriate technical and organizational measures”).

Read More: Understanding What Data Privacy Looks Like in the New World of GDPR | eBook

What Compliance Officers Can Do

If the goal is to anticipate and prevent privacy lapses, then the question is, “How do we control access as tightly as necessary, and no tighter?” After all, access is what creates privacy risk — and careless access creates a privacy compliance failure.

Frame the question that way, and several points emerge.

CCOs need visibility into the data flows throughout the whole enterprise. Compliance officers will need to see how protected data moves through the organization from start to finish — including any detours through third parties. That requires a strong relationship with business operating units, so they’ll share how those data handling processes work. Then you can work with IT security and other risk management functions to embed protections for that data.

Change management becomes more important. If someone later changes a process and makes it less privacy-by-design (say, by deciding to outsource a data processing task to a third party) that might cause problems, or perhaps not. Either way, compliance officers still need to know that the change has happened. So strong governance over how business processes are changed becomes more urgent in the PbD world.

Think in terms of reducing privacy risk, not securing data. For example, Article 25 of the GDPR suggests “pseudonymization” — masking or removing a person’s name from the data, so the data is no longer personally identifiable. That adds a step early in a data collection process (changing the name), but it reduces privacy risk. So you might need fewer security controls later (say, entering access codes), because pseudonymized data is less of a prize for hackers.

Read More: How to Survive General Data Protection Regulation (GDPR)

Work With the Enterprise

Return to our hospital in Portugal. In a situation like that, where too many people have too much access, compliance officers are in the difficult spot of arguing for less — either less access, or less convenience. Regardless, the organization is taking something away from employees. We all know how unpopular that can be.

That means the company must have a strong control environment that embraces privacy by design.

Senior executives need to tell the whole enterprise: “We value privacy, and value compliance with the GDPR. So even if the process changes that we need to implement might be a pain, we’re doing it, because it’s important to us.”

That might require a whole new way of thinking at your organization — but then, the GDPR is a whole new way of thinking about privacy.

And as we now see, EU regulators may not wait for a data breach at your organization to prove that point.


What do you have to say? Share your thoughts in the comments below or join a discussion group on Compliance Next.

Top 10 Regulatory Challenges in the Healthcare Environment?

Doing Deals like a Girl (and the Rewards of Open Corporate Culture)

Research shows that the more women on corporate boards, the more successful their mergers and acquisitions. Tapping into strength of diversity from top to bottom makes companies better. Diversity goals and ethics and compliance programs should not be just about eliminating risk, but enabling success and creating measurable value.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Blowing the Whistle Is Just the Beginning of the Whistleblower Journey

To run effective whistleblower hotline and incident management programs, we have to fully understand the human experience that goes into making the initial report. Thriving compliance reporting programs create environments that take into account the person who is the whistleblower.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments