2022 was yet another eventful year in terms of GDPR compliance. The continued evolution of the enforcement landscape, with increasing number of sanctions and individuals exercising their rights required time and attention from companies eager to remain compliant. In this article we will outline some of the key milestones of 2022 and guide you through how to reduce GDPR risk exposure in 2023.
Key Developments in 2022
Supervisory Authorities Step up their Game with Fines Starting to Bite
After years of being criticized for lagging enforcement (and claims that the GDPR was, in fact, no more than a paper tiger) it is notable that European (including the UK) supervisory authorities have visibly stepped up their game in 2022. This is reflected both in the number, as well as the amount of multimillion Euro fines issued in 2022.
No less than seven fines of over EUR 10 million have been imposed by supervisory authorities across the European Union, mainly on US companies, including two fines totaling a whopping EUR 715 million imposed by the Irish Data Protection Commissioner on the same US company.
Furthermore, there have been a series of EU and UK fines (several being between EUR 1 and EUR 10 million, the bulk being below EUR 1 million) that were much more varied in terms of the total amount, the country in which they were imposed and the country of origin of the organization that was fined. Be aware, even lower fines are impactful as they can dent an organization’s reputation and keep the organization under the intense scrutiny of the supervisory authorities.
Private Enforcement is on the Rise
Enforcement by supervisory authorities has not been the only worry of organizations in 2022, as the year was also marked by more and more individuals exercising their data protection rights as well as private enforcement. Increased focus on enforcement by supervisory authorities has been a perennial concern for companies, matched in 2022 by more and more individuals exercising their data protection rights and a surge in private enforcement.
In particular, we have seen:
- An increasing number of individuals exercising their right to access or delete their personal data, unsubscribe, etc. For example, employees requesting access to personal data held by their employer
- A rising number of complaints, including litigation and pre-litigation actions, by individuals alleging violation of data protection law (e.g., illegal placement of cookies) and threatening to file a complaint with the relevant authorities or initiate court proceedings unless a certain amount is paid before a certain date
- Class actions being brought in the United Kingdom and the Netherlands, which so far have been unsuccessful, but set a concerning precedent
Common Themes in GDPR Enforcement by Supervisory Authorities and Individuals’ Actions
We have pinpointed some of the recurring themes in GDPR enforcement in 2022. Key areas of focus for enforcement included:
- Mechanisms for international transfer of personal data (e.g. standard contractual clauses (SCCs), including transfer impact/risk assessment
- Security measures, including prevention of security incidents as ransomware attacks continue to pose a significant threat to organizations
- Cookies, including AdTech, and direct marketing
- Legal grounds for processing (such as consent, legitimate interest) and transparency (e.g., scrutiny of privacy statement, employee notices, etc.)
Individuals are clearly more aware and, as a result, more likely to exercise their GDPR rights. In parallel, supervisory authorities have given closer scrutiny to companies’ response time to data subject requests, as well as their internal compliance procedures. More specifically, we have seen an increasing number of employee representatives (e.g., works council) requesting that employers ensure compliance with international data transfer rules, including privacy impact assessments and fully inform employees of the data processing details of any new IT system that processes employee data.
Prepare for 2023: How to Minimize Risk Exposure
We have identified a number of measures which may help to minimize business risk exposure, namely:
Data Subject Rights Requests
- Ensure adequate protocols are in place to comply with these requests in a timely and compliant manner
- Create templates to facilitate responses aligned with GDPR or US requirements
- Conduct employee training to ensure protocols are being followed appropriately
- Periodically monitor and assess the correct functioning of the systems involved in the processing of personal data
- Perform stress tests
Mechanisms for International Transfer of Personal Data
- Execute intra-group agreements, SCCs, IDTA and UK addendum, if appropriate, or BCRs within the company group
- Check that your master services agreement with your vendors has SCCs in place (or refers to BCRs, if applicable)
- Have transfer impact/risk assessments in place where required
- Make sure the data transfer mechanism in place is up to date with latest laws and guidance
- Assess if the forthcoming new EU-US Data Privacy Framework may be an option for your organization and consider doing the same in relation to any forthcoming UK-US similar data transfer mechanism
Cookies, including Ad Tech, and Direct Marketing
- Check if your website is placing non-essential cookies (including third party cookies, even those placed for “technical purposes”) without consent and, if so, remediate as soon as possible
- Ensure that your cookie banners have the right consents in place, avoid dark patterns (i.e. making it difficult for the user to reject consent to cookies, for example, by not having a reject button on the cookie banner) and make sure it is as easy to reject cookies as it is to accept them
- Put in place a consent management mechanism which makes withdrawing consent as easy as granting consent
- In case you rely on TCF 2.0 (transparency and consent framework), check if you comply with the TCF protocol (e.g., add a link to all providers, directly from the consent banner) and
- Double check language for consent for direct marketing and newsletters to ensure you are obtaining valid consent where necessary
- Implement 2-factor authentication where appropriate
- Provide regular employee training, including for employees working remotely
- When acting as a data controller, ensure that the data processor is also implementing appropriate security measures
- Draft or review your password policies, taking into account complexity and regular renewals
- Implement incident/crisis management procedures and tabletop exercises
- Draft an Information Security Code of Conduct
Legal Grounds and Transparency (Web Sites and Employee Documentation)
- Focus compliance efforts on public-facing documents first (e.g., cookie policies and banners, website privacy information notices, data collection forms, terms and conditions, etc.)
- Draft/update employee and job applicant privacy policies including information on the processing of individual data, e.g., internal investigations, collecting diversity and inclusion data, access to data post-employment, etc
- Take works councils and other employee representatives into consideration as they may need to be informed and/or may have co-determination rights with regard to the data protection measures or protocols implemented
Finally, although supervisory authorities’ enforcement activities are one way of trying to predict where GDPR enforcement risks may lie in the year ahead, they are not the only way. There are other important considerations to take into account including;
- Sensitivity of the data being processed – Processing of sensitive information, such as data concerning health or official documents such as passports, ID cards, SSNs, and others, typically carry substantial risk given higher impact on individuals in the event of breach
- Business criticality – Businesses should also bear in mind that supervisory authorities may not only impose fines, but also order companies to suspend processing data. This may have particularly burdensome consequences on business continuity
- Public-facing documents/processes – These are often incorporated into the user interface and end-users interact with them daily. Such heavy use usually implies a higher chance that there might be dissatisfied users and if there are any flaws in compliance, they will point these out. Public-facing documents are also easy to access and check by supervisory authorities and privacy activists, without the company knowing it is being scrutinized
Takeaways and Conclusion
In 2022 we saw some examples of enforcement starting to bite. The time for compliance on paper is over, companies need to have effective processes in place. The fines imposed last year included companies large and small, from a variety of industries and jurisdictions, so no company should assume that they are not a target.
Looking ahead to 2023, identifying where the EU/UK GDPR exposure risks lie is not easy. It promises to be yet another busy year for those working on privacy compliance and litigation, with a lot still evolving both in Europe as well as in the US. However, paying special attention to the measures outlined above will go a long way to ensuring compliance and mitigating risk.