DLA Piper has published the findings of its annual GDPR and Data Breach Survey. The Europe-wide survey has revealed another record year with a 168% year on year increase in the total value of fines issued across Europe.
Among the largest fines levied were those against Meta Platforms Ireland (Meta), demonstrating that social media, and its reliance on extensive processing of personal data, have been a particular focus of regulatory action.
Several of the largest fines imposed against Meta by the Irish DPC relate to Facebook and Instagram’s behavioral profiling of users and whether the lawful basis of ‘contract necessity’ can be used to legitimise the mass harvesting of personal data. While the Irish DPC originally concluded that this was possible, the European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers and how ‘free’ online services will be funded going forward. Given what is at stake, DLA Piper expects these decisions to be appealed and years of subsequent litigation.
The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day in 2022. This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations, fines and compensation claims.
While personal data issues around advertising and social media have dominated headlines, there is a growing focus on Artificial Intelligence and the role of personal data used to train AI.
The survey also reports some notable decisions made by data protection supervisory authorities in 2022, considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to ‘third countries’; arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm.
“A proportionate, risk-based approach to GDPR’s restrictions on international transfers of personal data is not just permitted but, in our view, legally required,” said Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper. “Adopting an ‘absolutist’ approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks real lasting harm to consumers. Transfers have many benefits for consumers and for society, by ensuring the rapid development and roll-out of vaccines, by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people.”
Here, we speak to two industry experts about how GDPR can best protect cross-border payments and customer data…
Ryan Boyes, Governance, Risk and Compliance Officer at Galix
The payment industry is heavily regulated and becomes increasingly complex when it comes to handling transactions across geographical borders, considering the growing body of legislation around not only securing payments but data privacy as well. The General Data Protection Regulation (GDPR) set the current benchmark for data privacy, so aiming for this as a goal can be effective, however, there are also numerous standards internationally, including the Protection of Personal Information Act (PoPIA) in South Africa, as well as other guidance and frameworks from other countries.
Always aim higher
When making a cross-border payment, it is essential to contact the relevant regulators to ensure that requirements in the origin and destination country are understood and aligned. If one supersedes the other, it is important to always comply with the more stringent requirement. The onus is on businesses to ensure compliance from their own perspective as well as that of any other third-party suppliers.
Compliance with GDPR will, in many cases, cover the bases required for cross-border payments for most countries. However, customers and clients are within their rights to request proof of compliance, which would typically involve a third-party assessment and audit each time. For organisations dealing with large volumes of transactions, like a multinational online retailer or cloud services provider, certification on standards like ISO 270001 and ISO 277001 gives customers peace of mind that their information is handled securely. For smaller organisations, working toward the requirements for these standards – without the certification exercise – can stand them in good stead.
Where do you start?
Data breaches carry more risk today than simply compliance challenges. There is a real danger of reputational damage and loss of customer confidence, which can cause untold long-term damage. Organisations need to take this seriously, beginning by understanding their data, how it flows through the organisation and out of it, and how it is managed.
Financial information has multiple gateways that need to be secured throughout the journey. All documentation needs to be classified according to its nature and department so that the correct legislative requirements can be applied. There also needs to be a process in place from capture through the destruction that is compliant and where relevant parties are both responsible and accountable for the information.
A risk register is a good place to start, identifying all the risks a business faces and what needs to be complied with. From there, an incident response policy can be developed to document what steps must be taken to protect data and what must be done in the event of a breach.
While aligning with international certification standards can ensure that organisations comply with PoPIA and other legislation, the landscape can be complex, with technological, administrative and functional elements to consider as well. The right partner can help organisations from beginning to end, identifying the gaps, closing them, maintaining them and preparing for certification if needed.
Ricardo Ferreira, EMEA Field CISO, Fortinet
The EU General Data Protection Regulation (GDPR) is a comprehensive framework of data protection rules put in place to protect the personal data of individuals within the European Economic Area (EEA). It applies to any organisation – regardless of location – that processes the personal data of individuals within the EEA. This means that even companies based outside the EU must comply with the GDPR if they process the personal data of individuals within the EEA.
Regarding cross-border payments and customer data, the GDPR helps to protect this data by imposing strict obligations on controllers and processors to ensure that personal data is secured. For instance, controllers are required to appoint a representative in the EEA (if they are not established there) to ensure that someone within the EEA is responsible for GDPR compliance. This is especially important for cross-border payments and customer data, as having a representative within the EEA ensures that there is a point of contact for data protection authorities and data subjects.
On the technical side, this is achieved through organisational measures and the pseudonymisation of data where appropriate. For example, controllers and processors are required to conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks to the rights and freedoms of data subjects. This can be particularly important when dealing with cross-border processing as it helps to ensure that the data protection risks are identified and addressed.
The GDPR also establishes the concept of a ‘lead supervisory authority’ to ensure that there is a single point of contact for data protection authorities and data subjects. The lead supervisory authority is the data protection authority that is competent to supervise the controller or processor in question, which is especially relevant for situations where multiple controllers or processors are operating in different countries. This helps to ensure that there is a consistent and coordinated approach to data protection concerning that controller or processor.
In addition, the GDPR provides for rights for individuals, such as the right to data portability and the right to be forgotten, which can be especially important when dealing with cross-border processing. These rights help to ensure that individuals have control over their data and can help facilitate the movement of personal data between countries.
Guidelines 8 and 9/2022 are providing more clarity to compliance on cross-border payments and customer data, and regulators will enforce GDPR rules. Companies will have to be accountable to protect their customer’s data if they are dealing with the EU’s customers or data subjects. Organisations need to understand their responsibilities and comply with the GDPR when processing the personal data of individuals within the EEA to avoid penalties and ensure that personal data is properly protected, as we have seen with the latest 390M fine.
Richard Bird, Chief Security Officer, Traceable
When we look at the differences between the US and the EU, it is clear that the EU is light-years ahead of almost all governments in the world. This reality is simply a reflection of the difference in expectations between the EU and the rest of the G20 when it comes to security, privacy and risk that their citizens are exposed to.
For more than a decade, the EU has been quietly, but diligently building a consumer protection framework for their citizens that is much broader and deeper than just the General Data Protection Regulation (GDPR). A host of directives and regulations were created have addressed issues ranging from digital market access and transparency to cross-border online transactions. The Digital Single Market Directive – which many of these changes originate from – was adopted more than three years before GDPR.
Ironically, a large percentage of the world has diluted the value proposition of the EU’s data privacy efforts and strongly resisted taking a consumer protection-oriented approach to their digital safeguards. The words ‘onerous’ or ‘burdensome’ are constantly tossed around in the halls of American legislatures and board rooms, which highlights a critical misunderstanding.
The EU’s reasons for embarking on a digital single marketplace were only partly associated with the noble ideal of keeping the people of the EU digitally safe. The EU’s mission statement is emblasoned on its website and it reads as follows: “The Digital Single Market is a strategy aiming to make Europe a leader in the global digital economy.”
The combination of consumer protection and a drive toward being the leader in the global digital is the secret weapon to the effectiveness of GDPR. The US, in particular, finds itself at a severe disadvantage as a digital global giant simply because the government refuses to even begin the journey toward data privacy and consumer protection regulations in the planful way the EU has.
GDPR helps to protect cross-border payments and customer data by giving individuals more control over their personal data, including the right to access, correct and delete personal data held about them. It also requires organisations to obtain explicit consent from individuals before collecting, processing or sharing their data.
Additionally, GDPR imposes strict rules on data processors and controllers, including the requirement for organisations to appoint a data protection officer and implement robust data security measures to protect personal data from unauthorised access or disclosure.
In the case of cross-border payments, GDPR also ensures that any data transfer outside the EU or European Economic Area (EEA) is done in accordance with appropriate safeguards to ensure the protection of personal data.
When we consider these key components of a holistic approach to both the privacy and the security of EU citizens, it is easy to see how the EU is successfully moving toward the goal of being the leader in the global digital economy.
Alev Viggio, Director of Compliance, Drata
GDPR is considered to be one of the strictest privacy regulations passed in decades. To the businesses this affects, many obligations must be met, otherwise these companies can be hit with heavy fines. These businesses need to be aware that the legislation does not merely affect them in their country, but that the legislation also protects customers’ data when undergoing cross-border payments.
One of the main ways in which GDPR helps to protect cross-border payments and customer data is through its strong data security requirements. Businesses should implement appropriate technical and organisational measures to protect personal data from unauthorised access, use or disclosure. This includes encryption, secure servers and compliance automation that continuously monitors and collects evidence of a company’s security controls. These measures are essential for safeguarding cross-border payments, as they help ensure that sensitive financial information is kept secure during transit and stored.
GDPR promotes transparency and accountability in how businesses handle personal data by requiring companies to be clear about how they collect, use and process it; providing individuals with clear information about their rights and how to exercise them and obtaining explicit consent from individuals before processing their data. This is particularly important when it comes to cross-border payments, as it helps ensure individuals are fully informed about how their data is being used and can make informed decisions about transactions.
In addition to these requirements, GDPR also imposes strict rules on transferring personal data to countries outside the EU. To ensure that personal data is adequately protected when transferred to a non-EU country, GDPR requires businesses to use several approved safeguards, such as standard data protection clauses or binding corporate rules.
With the UK government indicating it will replace UK-GDPR with its own British data protection legislation, businesses may wonder how they can comply with multiple data protection regulations. One solution is to implement compliance automation. Compliance automation refers to using technology to automate the process of complying with regulatory requirements. This can reduce the number of manual processes or paperwork often required to maintain compliance, which is prone to human errors and consequently, hefty fines and violations.
In summary, GDPR helps to protect cross-border payments and customer data by establishing strict data security requirements and by giving individuals rights to their data. Compliance automation can also play a role in helping businesses meet these requirements and to avoid the consequences of fines and violations for non-compliance.