Privacy inspections: how to be prepared?
In light of the new legislative framework with regard to data protection, a number of Data Protection Authorities started to impose sanctions, which are the result of inspection activities constantly carried out by the relevant DPA. Such inspections are going to increase in the near future so that it is essential for entities processing personal data to be proactive, taking appropriate steps to adopt adequate privacy compliance programs that need to be continually fine-tuned to avoid sanctions. In such a complex environment what is advisable for companies?
Last year brought considerable changes in the data protection world. The EU General Data Protection Regulation No. 679/2016 (GDPR) finally became applicable, introducing in the privacy law context its expected innovative principles and rules. At the same time EU Member States, including Italy, decided to adopt new local legislations in order to review, amend and, therefore, adequate their local laws to the newcomer GDPR.
Also consult the Dossier GDPR: come gestire gli adempimenti
In light of such new legislative framework, a number of Data Protection Authorities ("DPA") started to impose sanctions. The Austrian Datenschutzbehörde was the first authority to sanction a company for the unlawful use of a video surveillance system. The German watchdog followed soon after, fining a company for the occurrence of a data breach and, therefore, the violation of art. 32 of the GDPR. Also, a Portuguese health company was sanctioned by the Comissão Nacional de Proteção de Dados for inadequate technical and organizational measures. Last but not least: the French Commission nationale de l'informatique et des libertés issued a fine of € 50 million against Google for breach of GDPR obligations.
Such sanctions are the result of inspection activities which are constantly carried out by the relevant Data Protection Authority in order to guarantee compliance with the GDPR and local privacy legislation.
With regard to Italy, the Garante per la protezione dei dati personali - together with the help of the Guardia di Finanza, the Italian finance police appointed to carry out privacy inspections - has always been particularly active. In fact, twice per year the Italian DPA issues an inspection plan providing information as to the fields where the same authority will focus its controls on processing activities.
For the next year the Italian DPA - as clarified in 2019 inspection plan which has been recently adopted - will focus its monitoring activities on (i) data processing carried out by credit institutions and public health institutions (including data transfer to third parties for additional research purposes), (ii) data related to fidelity cards, (iii) issues deriving from the development of a digital identify of citizens (Spid cards), (iv) the adoption of security measures by public administrations and companies which main focus is the processing of special categories of data, as well as (v) the adoption and compliance with retention policy by both private and public companies.
Of course the indication provided in the above mentioned plan is not intended to limit the inspection activity of the Italian DPA, which will also carry out its assessment of controller and processor further to the filing of complaints by the relevant data subjects.
In light of the above it is likely that inspections are going to increase in the near future. In fact the feeling in privacy community is that all European DPAs will be stricter in verifying compliance of the companies with the GDPR.
In light of the above it is important that entities processing personal are proactive, taking appropriate steps to adopt adequate privacy compliance programs. Such compliance programs require a deep change in technical and organizational measures (including the adoption of policies and procedure that are able to prove privacy compliance to DPAs and justify decisions taken on data processing) but they also need to be continually fine-tuned to avoid sanctions.
In this respect - with time - privacy might no longer be considered a priority for businesses to the point that companies processing personal data might also set a lower budget for future privacy compliance programs under the assumption that the task - once approached - has been completed. This is however a misconception since privacy compliance is a continuous work in progress.
Even more in light of the fact that, nowadays, the processing of personal data is carried out through IT systems that - due to the technologies developments - need to be updated almost on a day-by-day basis. With this regard it comes as no surprise that, also in order to guarantee compliance with privacy provisions, it is essential for companies to build cyber resilience systems together with incident response schemes able to remediate adverse impacts on the business and to protect the brand reputation, as well as post-incident remediation plan which can mitigate the impact from any claim or other liabilities.
In such complex environment it is advisable for companies processing personal data to adopt internal procedures for the management of "dawn raids", also in order to be prepared in case of inspections as to demonstrate to the relevant DPA the measures adopted in order to guarantee privacy and cybersecurity compliance.