GDPR: Two Years Later

It has been two years since the full implementation of the European Union regulation on personal data protection, General Data Protection Regulation – GDPR. I still vividly remember how we went through our banking sector client’s business processes in order to have them adapted to the new legal framework by May 25, 2018. It was all so sudden. At the time, various information about data subjects’ rights, processors’ responsibilities, penalties for non-compliance, exemptions, etc. were all over social networks and media.

So, what has changed?
We’re interested in today’s situation – what has changed for the data subject? And what about controllers? How do we react to these new regulations? And what does the IT industry have to offer to reduce the possible risk of unauthorized use of personal data?
The European Union has decided to put the tricky realm of data protection in order. Usually, we understand that certain institutions we may have accessed voluntarily need, for example, our mobile phone number. However, the tables have turned when our data started to be used for other purposes.

And an average citizen thinks that GDPR is…
And these other purposes were the reason for a wide public recognition of the regulative as something positive. Most people were relieved because they would no longer be disturbed by various calls, e-mails, phone surveys… Corporations that care about their performance and success also take care of corporate risk management. Therefore, they took the protection of personal data seriously and included it in the risk management processes. They are adapting, working on new policies that define the rules for the use of personal data, introducing new roles, such as Data Protection Officer (DPO). On the other hand, we, as users, constantly give our consent to the use of our personal data, while cookies notifications pop up every time we visit any website.
We could say that people’s awareness about the rights, but also about the consequences that can be caused by unauthorized personal data processing, is still quite low. Advanced technologies for collecting data and processing information on how we use our computers and what we view, result in, for example, personalized offers. We’re often (not so pleasantly) surprised when we see an ad for that particular book which interests us, but we rarely read the text of the notification before we accept all cookies.

Are there any penalties? How do agencies work?
Misuse of personal data is never justified. If the reason for processing of personal data is based on the need to provide information, one would probably give their consent to the use of personal data. However, misuse of data when it comes to personal medical information or financial and card data may have grave consequences. In these branches there’s no room for error – high-quality, certified security mechanisms are a must.
We can also discuss individual situations and the work of data protection agencies in Croatia, Austria or perhaps in France. Each of the individual member states that have to enforce regulation, together with their data protection agencies have their own policies on how to protect their citizens from data abuse – some less and some more successfully. Their goal should be the same – to continue working on improving the process of recognizing malicious acts, responding to citizens’ reports, analyzing and determining the actual situation, issuing recommendations and, for those who do not adhere to the rules, sanctions.
So, were there any sanctions? I would like to start with a few examples. First, let’s look on our side of the fence, the Croatian Personal Data Protection Agency (AZOP). According to available data from the official website of the Agency, one fine so far has been issued to one commercial bank (neither the amount of money they had to pay, nor which bank was fined is stated). Several details were mentioned as to why they made such a decision. The bank continuously rejected clients’ requests. That is, the documentation was issued only to those clients who filed a complaint to the Agency. In further inquiry, it was found that as many as 2,500 clients were denied their rights, i.e. the Bank rejected their requests. And they knew what they were doing. Due to the specifics of the Law on Application, the Croatian Agency imposed 77 corrective measures in 2019. The appointment of the head of the Croatian Agency is currently underway. The function is defined by the Regulation where it is stated that the person in such position must have qualifications, experience and skills, especially in the field of personal data protection.
The Austrian Agency has issued fewer measures, but most of them were fines. An example from Italy nicely illustrates how citizens who have registered their contact numbers on the Do Not Call Registry should be treated. The gas and electricity supplier was fined 8.5 million euros for selling via telephone to people in the registry. The Norway Agency has twice fined the City of Oslo for negligent data processing. This example shows us that local government units and state institutions are not exempt from supervision.
Perhaps the most famous case so far is the one in which France has issued a 50 million euros fine to Google. They stated states that Google did not provide sufficient information to users enough control over the way their data is used.

How does the IT industry cope with GDPR?
The IT industry is both directly and indirectly influenced by the GDPR. Other industries use IT solutions, relying on the products of IT professionals. But their clients need to implement these solutions, too, so that the end users would know when, where and how their personal data is collected. What we certainly need to do is design new systems based on privacy by design and privacy by default principles, which collect only necessary data, we need to use an analytical approach to define the data flow in the systems and record what kind of processing is performed, and we need to establish restricted backups.
When we work on new IT systems, we have to provide an environment for developing and testing. At first, it seems there shouldn’t be any problems with this. However, when it comes to data, with special emphasis on personal data, we need to keep in mind that this environment is not as safe as the environment in the final product because a lot more people have access to the data – not only authorized persons, but engineers and developers, too. In such cases we encounter anonymization. However, experience tells us that the process of anonymization is demanding because we must maintain consistency, and at the same time secure data from misuse. In doing so, we rely on pseudonymization techniques that are very effective in terms of performance and security.

How does CROZ comply to the GDPR?
Yes, we have gone through the process of adapting to the Regulation. We talked to our colleagues from the data protection office who bring us some interesting facts about the activities we at CROZ carried out.

How did CROZ react to GDPR?
We have complied to the Regulation by implementing that have helped us in certain business processes. So, for example, we have introduced a new platform for job applications where candidates manage their profile and their CVs, they give consent to the use of personal data, they manage the deadline for deleting data, etc. We have signed new GDPR contracts with our users where we asked to be authorized to process data on those projects that we have access to personal data and, in addition, we created a database of such projects. We provided anonymization and pseudonymization where necessary.
 Of course, a team has been formed to monitor the implementation of the regulations and we have appointed a DPO.

How did it impact business processes?
The changes that have occurred have not had a significant impact on previously set business processes in our organization. So, we have complied our processes to all the requirements of the GDPR, and implementation of ISO 27001 system in which the GDPR is one of the standard requirements can prove this.

What would you point out as the most significant change?
The most significant change would be taking care not to misuse and compromise personal data, regardless of who the data controller is (CROZ, our partners or our clients).

What is the relationship with partners and customers like?
Our partners and users recognize the importance of security, especially in the field of personal data, but sometimes we are the ones who have to warn them to pay more attention to their data than they do so themselves. As we often work with overseas partners, we are not often met with understanding when we want to regulate the exchange of personal data of our employees and their CVs. But we work hard to raise awareness of the importance of personal information in both our clients and partners.

The process of adaption is not a one-time thing. Business processes are changing. But more importantly, people’s awareness of the importance of personal data and the possible consequences of their misuse must change.
Of course, IT solutions, methodologies and tools can help us through everything. Let’s choose them according to quality. I believe we could have touched upon many other important components of this regulation, but still, this text illustrates that we are aware of the importance of this topic. Don’t hesitate to ask us anything.

Photo by Pierre Bamin on Unsplash