1. Real impact!
Hello again! In this video, we'll talk about some of the practical implications of the GDPR principles for organizations when they don't comply, from a warning to monetary fines to how they affect your international operations.
2. Fines and reputation damage are real
The Italian Supervisory Authority investigated a data breach at a company that offers a diabetes app.
The origin of the case was that, as a part of a marketing campaign, an employee sent an email placing user emails in CC rather than BCC, which disclosed not only personal information but also health status.
Upon investigation, the SA found that the app lacks transparency requirements in how information was provided to get user consent. It also found that the data was not used for the intended purpose, and there were no adequate security measures for data protection, especially given that health status falls under a particular category of personal data.
The SA gave a EUR 45000 fine. You might wonder.. That doesn't seem so bad. It's a slap on the wrist. If you think about the actual damage, it's also awful for the reputation. GDPR fines depend upon the scale of impact, and the number of affected users. In the app case, there were only less than 2000 users. Now let's see what happens when a large number of EU users are involved.
3. 225 million fine - true story
Let's see the case of WhatsApp, a popular messaging app with millions of EU users. The app's data protection and privacy safeguards had transparency and fairness shortcomings. The app also shared user data with sister companies without necessary safeguards.
The Irish SA imposed a whopping EUR 225 million on the company with a firm reprimand.
The company eventually had to rewrite its privacy policy. And this is by far not the highest fine given by a SA.
4. No exemptions for EU bodies
Even the highest of the EU institutions are not exempt.
In January 2021, The European Data Protection Supervisor (EDPS) reprimanded the European Parliament for violating GDPR. EDPS found that the privacy policy of the European Parliament was inadequate in terms of transparency. And the main concern was the illegal transfer of data to the United States since the Parliament used the services of US-based companies and processed the personal data of EU citizens.
Wait... what?!! Transferring personal data to the US is not allowed? But how can companies do business in today's interconnected world? Let's find out all about data transfers to countries outside the EU.
5. International transfers: Adequacy
GDPR protection covers all 27 EU countries and the three non-EU countries. Iceland, Liechtenstein, and Norway.
Personal data transfers outside these countries need special safeguards, among which GDPR adequacy is one. Adequacy is like a seal of approval to countries with data protection laws that match GDPR standards.
Article 45 of GDPR gives the power to the European Commission to make these adequacy decisions following detailed checks.
Once a country is deemed GDPR adequate, this decision is not for life. The Commission continuously reviews the data protection standards and may revoke them in case of inconsistencies.
The revocation of the US adequacy decision in 2020 is an example.
As we speak, talks are ongoing to reinstate the adequacy.
6. Not adequate, now what?
In addition to adequacy decisions, the European Commission offers a diversified toolkit of various alternative mechanisms to enable data transfers outside the GDPR-protected countries.
These mechanisms include standard contractual clauses, binding corporate rules, certification mechanisms, codes of conduct, and derogations.
You can always refer to the European Commission's website for the latest requirements applicable to your situation and country.
Let's remember that GDPR not only enforces data protection but also provides mechanisms to enable responsible data transfers.
7. Let's practice!
So far, we have talked plenty about compliance. GDPR motivates companies to build a robust data protection framework and empowers citizens to exercise control and rights over their data. In the following video, we'll learn about data subject rights.
Now let's do a couple of exercises on the real impact of GDPR.