Compliance with the EU’s General Data Protection Regulation (GDPR) has long been a complicated, arduous task, but compliance officers can always start with one universal driver: your company’s GDPR risk keeps going up.
The European Court of Justice (ECJ) reminded everyone of that point at the end of 2023, when the court made a landmark ruling about when corporate organizations can face liability for GDPR infractions. In short, the ruling gives data privacy regulators more discretion to impose fines for GDPR violations – which means companies have all the more reason to get their GDPR compliance programs right.
We can start with the case itself and how it came to pass. It involves a German property company, Deutsche Wohnen. In 2019 German privacy regulators fined Deutsche Wohnen €14.5 million for keeping tenants’ personal data longer than was necessary, which violates Article 6 of the GDPR.
Deutsche Wohnen appealed. It argued that for privacy regulators to impose a monetary penalty on a company, they must first tie the GDPR violation to a “natural person” at the company – typically, a member of the company’s management team. Only after the regulator proves that management knew about the offense, can the regulator impose liability upon the “legal person,” which would be the company itself.
On December 5, 2023, the ECJ rendered its decision: no. Regulators can hold legal persons (that is, corporate organizations) liable for GDPR violations, whether those violations were made by management directly or “by any other person acting in the course of the business of those legal persons and on their behalf.”
As a practical matter, this means regulators have more freedom to bring enforcement action against companies for their GDPR violations. Rather than needing to demonstrate that management knew about the violations and did nothing (which had been the standard under national law in several EU states), those regulators can leapfrog directly to holding your company accountable.
The solution, as always: strong compliance
Effective compliance with any regulation (privacy or otherwise) always begins the same way: you perform a gap analysis, comparing your company’s current policies, procedures, and controls, against some framework that maps out what your ideal compliance state should be.
Although no privacy framework is as strict as the GDPR, we have a few framework choices that will point organizations into the right direction. One is the NIST Privacy Framework, developed in the United States by the U.S. National Institute for Standards and Technology. Another with more global appeal is ISO 27701, a privacy standard developed by the International Standards Organization. For the UK, BS 10012:2017 would be an obvious choice. You could follow the details of the GDPR itself as much as possible, or do the same with HIPAA, the healthcare privacy law in the United States.
Indeed, all these frameworks are broadly similar, although none are identical. You would want some sort of GRC software tool that works with all the frameworks, mapping their overlapping requirements and mapping out where your operations do – or don’t – meet privacy expectations.
Then comes the sometimes-painstaking work of implementing new controls to close the gaps you find. Those controls can come in several forms:
- Technical controls, such as keeping data encrypted or using multi-factor authentication for certain transactions. (Deutsche Wohnen was also faulted for poor technical controls in the enforcement action that started all this.)
- Process controls, to govern how data is handled. For example, you might need to define processes to destroy unnecessary personal data in a timely manner; or implement new approval processes before employees start collecting new personal data.
- Organizational controls, such as security awareness training, testing of your privacy, or hiring sufficient privacy and security staff.
On top of all that, you’ll also need strong third-party risk management – because, remember, the ECJ ruling says liability can arise from “any other person” acting on your company’s behalf. That includes cloud-based technology providers, joint venture partners, contract labor, distributors, and more. You’ll need to assure they have their own sufficiently strong privacy programs in place before entrusting them with personal data you control.
The time to start, as always, is now
To a certain extent, the exact details of that ECJ decision don’t even matter much to large organizations any longer. If your company isn’t already subject to the GDPR, then it’s likely subject to some other data privacy law so similar to the GDPR (the California Consumer Privacy Act, for example) that you might as well just comply with the GDPR anyway.
That, perhaps, is the most important and pragmatic point of all: onerous data privacy rules are a fact of corporate life, and corporate compliance teams need to build the capability to comply with them. Work with your senior leadership and business units in the First Line to understand how they want to use personally identifiable information, and also to explain to them that a privacy-aware corporate culture is a necessity in the modern world.
The ECJ ruling simply underlines that point – but the point has been true for quite some time.
NAVEX has solutions designed to help you establish proper controls to stay compliant the GDPR and other global compliance obligations. Ready to learn more?