Two years after the launch of the General Data Protection Regulation (GDPR), CLC’s in-house Legal Adviser and Data Protection Officer Gaëlle Lipinski reminds us that companies have a duty to introduce internal data management and protection measures. Beware of those who do not respect their obligations.
On 25 May, the General Data Protection Regulation (GDPR) celebrated its two years of existence. Launched by the European Commission and approved by the European Parliament, the system aims to increase the protection of individuals concerned about their personal data.
It is primarily aimed at private companies and public bodies, that are required to comply with a number of rules on these issues.
“They have a duty to introduce internal data management and protection measures,” warns Gaëlle Lipinski, lawyer and Data Protection Officer (DPO) at the Luxembourg Confederation of Commerce, the employers’ organisation dedicated to private enterprise.
Gaëlle Lipinski, what steps do companies need to take to comply?
Whatever the size of the company – startups, SMEs, large groups – or its activities, these measures require very specific actions: such as the appointment of an internal data protection officer, or at least one person in charge of this issue, which will then be recorded in the register of processing activities (commonly called the Register).
Once the process has been carried out and documented, companies must then define possible corrective actions and analyse the risks that may affect data security. In addition, they must implement internal procedures to ensure the ongoing protection of the personal data being processed and anticipate possible events that may have an impact on data security.
However, small structures do not always have sufficient financial and human resources to integrate such provisions into their activities. How do they manage this?
For this reason, the Luxembourg Confederation of Commerce is raising awareness among its members of the possible risks in case of non-compliance with the GDPR. It also offers them general or sectoral legal information sessions on the system.
In addition, it supports SMEs with fewer than 100 employees by offering them an external DPO service for the implementation and the documentation of their data processing.
Not forgetting IT security issues, one of the most sensitive aspects in terms of management and protection of personal data.
In this area, appropriate actions must be put in place by companies and their subcontractors. These measures must be adapted to the risks and sensitivity of the data processed.
Moreover, the National Commission for Data Protection (CNPD) is devoting a thematic dossier to this issue. But security should not be limited to the purely technical aspect; it must also involve all the actors concerned (data controllers, executing employees and subcontractors, persons whose data are processed).
The same applies to telephone and Internet connections, tools for managing, backing and hosting data on an internal server, external clouds and datacenters, and internal and external video surveillance cameras. All these infrastructures must be listed and recorded in the Register.
Thus, by following the recommendations of the CNPD, companies apply a preventive approach to secure their data. Moreover, they limit the risks of loss or data breaches on their activities, employees, customers, suppliers and subcontractors. And they can better protect themselves against industrial espionage.
What are the risks for non-compliant companies?
At any time, the CNPD may require access to the Registry, and may impose penalties for non-compliance or violations.
And even if the process is restrictive and time-consuming, compliance has the merit of initiating a business introspection within companies.
“Fear has led to behaviour and decisions that were not correct.”
What is important is awareness: by reviewing their entire processes, activities and businesses, listing their staff, customers, subcontractors and suppliers, companies can identify potential and existing risks and get to know each other better. And who knows themselves well, protects themselves well.
What about today, with the current health and economic crisis?
With Covid-19, companies are faced with other priorities. Whatever their size, they have put aside their GDPR approach. Because this only makes sense if the company is up and running, and not when its activities are at a standstill. If it is in crisis, the question does not arise.
However, the issue of protecting employee health data has arisen…
One of the first reflexes of people who are afraid, is to want to know everything about everyone. Several companies have therefore felt the need to collect health information about their employees and customers: by asking them, for example, if they had been in contact with infected people or if they or their relatives were showing symptoms.
These are sensitive and health-related data, which companies are not required to know. Many have therefore been called to order as a result of these intrusive actions.
Therefore, common sense must be used: such as providing protective equipment (wipes, gels, masks, etc.), an airy and sufficiently spacious room, available to employees.
More than ever, the health crisis has made enabled companies understand that the GDPR really has its place.
Has it raised other issues concerning the protection of personal data?
In order to adapt, some companies have reviewed their activities and offered new services, such as shops, which have moved from direct sales to home delivery.
However, many have not adapted their GDPR approach to this repositioning. In order to provide these new services, these companies have had to collect sensitive information about their customers: about a disabled person who wants his purchase to be taken upstairs; or about another, in quarantine, who asks that his parcel be left in front of his door…
Companies that already had a Registry may have incorporated this new data into their files. Those that did not have a GDPR approach rarely considered doing so.
Similarly, many websites were recently created during the health crisis, but many failed to publish the consent form for data processing.
During this crisis, there were also many reports of hacking or phishing of companies.
Many companies that had put their staff – especially IT staff – on short-time work or leave, did not necessarily update their software and security firewalls during this period.
“Even when it is operating at idle, the company remains responsible for protecting its data and that of its employees and customers.”
Some hackers have therefore taken advantage of this relaxation in computer security to hack into data.
Therefore, even when the company is operating in slow motion, it remains responsible for protecting its data and that of its employees and customers.
What about telecommuting and data protection?
Here too, data is not always protected: for example, some employees work on their patio, disclosing out loud without realising they might be revealing confidential data about their company and customers.
Others don’t bother to protect their private Wi-Fi network with a password. But when they connect from their computer to their company’s network, they run the risk of hacking into their employer’s data.
In general, we protect ourselves from a risk when we are aware of it. On this point, the DP Regs are a good way to raise awareness of these issues among companies and their employees.
Also, the health crisis – with its consequences such as containment and working from home – has also made them realize that protecting their data can be a necessary evil that allows them to avoid the worst.
Photo: Yura Fresh on Unsplash