Introduction
Widely-processed personal data in the contemporary world requires new assessments of the rules to accurately protect rights and freedoms of the individuals. The General Data Protection Regulation 2016/679 (GDPR), implemented in May 2018, led to a greater harmonisation of privacy rules in European Union. New laws impose stricter requirements – not only must data controllers notify of personal data breach (unless it does not endanger rights and freedoms of those affected), but they also have a deadline of 72h to file such notification. Without a doubt, entities recognise the existence of new rules.
Nonetheless, it is obvious that the GDPR is not specific enough. That leads to lack of awareness of the specific obligations. While entities do assess the risk and a need for notification, they do so in highly subjective ways, based on gut feel and instinct of a person analysing the incident – leading to inconsistent handling and residual risk due to the lack of clear governance and control.
As supervisory authorities demand greater levels of accountability for decision making, it has never been more important to apply a consistent response handling approach, based on objective and quantitative criteria. Moreover, as recent Polish cases prove, entities’ assessment is not always true to the requirements of privacy regulators.
Lack of notification
Obligation to notify about the personal data breach is a legal responsibility. The reason for not notifying does not matter. Once an entity conceals information about the incident, it risks a fine from a national supervisory authority. The maximum fine EU GDPR sets is €20 million or 10% of a global turnover, whatever is greater1 . The lack of notification itself might not be enough to impose such an enormous fine, since incidents are decided on a case-by-case basis. Nonetheless, it would be considered an offence and a chosen form of punishment would be imposed.
Lack of clear GDPR guidance is a blessing and condemnation all at once. It might help the entity in a way that the court considers all circumstances, without hard limits or frames. It might be easier to find persuading arguments and lower the fine. However, at the same time, what does supervisory authority expect from a company? Lack of solid procedures makes the process of risk assessment long and dreadful, data controllers must create internal procedures to react to and track consequences of data breaches. What is controversial here, is that it is not uncommon for the entity and national supervisory authority to view the case in different terms. Generally, the authorities require an objective risk assessment.
Meeting such requirements is challenging. It might be accurate that companies aim to avoid a fine by all costs. On the contrary, however, if authorities do not set hard in stone standards, it might be impossible to require an objective risk assessment from a human being.
1„GDPR Penalties and Fines”, IT Governance Ltd, 2003-2021, < https://www.itgovernance.co.uk/dpa-and-gdpr-penalties>.
Subjectiveness as a factor in fines assessment
ERGO Hestia’s case is one of the best examples to prove the issue of subjectiveness in the risk assessment process. If a company uses its own, internal form to analyse the risk, it unsurprisingly interprets it in the most convenient way. Without unanimous guidance and criteria, the risk assessment remains a matter decided by human beings, who have personal beliefs, opinions, and goals.
Similarly to ERGO Hestia’s case, another Polish Insurance and Reinsurance Company, WARTA S.A., subjectively assessed the risk and did not report a data breach that occurred at the company. Again, a supervisory authority (PUODO) concluded that the incident must have been reported, the company’s risk assessment was not accurate and subsequently imposed a fine of over 80k zlotys (approx.€19k) on WARTA S.A. It is just the second example out of many that prove the issue of subjective assessments. When entities use internal, usually Excel templates, it is easy to make a mistake.
Such solutions are both uneffective and subjective, covering mostly entities’ point of view and not the objective standards.
It is crucial to emphasise how important it is to notify domestic supervisory authorities about the breaches. Such action is a first step to successfully protect any data, rights, or freedoms of individuals. Entities tend to believe that reporting an incident will automatically impose a fine on them. However, it is the lowering the risk and concealing the data breach that are harmful. The assessment is not an easy job since the legal field still lacks precedence or a universal risk report form to follow.
For now, it might be better if entities assume higher risk than it really. What is more, by reporting an incident, supervisory authorities can properly address it and later on improve their work. Those much needed precedences are created in that exact way. Subjective risk assessment might look like a minor issue at first, but it is often followed by problematic consequences.
Not only does an entity risk a fine but also does not effectively protect the rights and freedoms of individuals – arguably the most vital goal of the General Data Protection Regulation.