Recently Amazon was hit with an $888 million fine for allegedly violating the European Union’s General Data Protection Regulation (GDPR), and now companies are left to devise plans on how to avoid similar infractions against the privacy law. Amazon drew the ire of the Luxembourg National Data Protection Commission (CNPD) reportedly because of how the tech giant collects and uses personal information related to its offices in Luxembourg, its EU headquarters.
The Amazon fine was more severe than the heaviest GDPR penalty to date, which Google incurred for its data-consent policies in France. The CNIL fined Google $56.8 million. GDPR can bring a fine up of to 4% of a company’s global sales for violating the most serious aspects of the law.
When the European Union adopted GDPR in April 2016 and officially implemented the law in May 2018, people gained more power over how organizations share their personal information.
Other tech companies such as Facebook’s WhatsApp also face fines over data-privacy concerns from EU regulators, and on July 22, 2021, the Dutch Data Protection Authority fined TikTok 725,000 euros, equivalent to around $859,000, for GDPR violations involving children’s privacy.
The decisions that imposed the fines facing some of the leading tech brands offer a chance for organizations to learn how to adopt strategies that will help them avoid steep violations. The best way to avoid fines is to be fully compliant with the law, but there are actions to take upon receiving an inquiry from a supervisory authority that can impact the severity of the fine. Here are five strategies companies should consider as they aim to avoid hefty privacy penalties from the GDPR:
- Comply with inquiries from regulators.
Being a willing participant in communications with regulators can give the company a better chance to avoid paying steep fines. Management doesn’t need to communicate more information than is requested, but don’t skimp on requested details either. Organizations often get hit with fines because they fail to answer inquiries from regulators. Data Protection Authorities (DPAs) often choose to safeguard the independence of companies and decide to avoid engaging with companies directly.
- Cooperate with regulators directly.
Practice full cooperation. Don’t close the blinds and hide behind outside counsel. Organizations should involve outside counsel or their internal department when speaking to a DPA, especially during an investigation. However, when dealing with a regulator, it’s more than likely they have the legal means to get the documentation and access they want - or increase the penalty to reflect refusal to cooperate. Either provide it to them when regulators ask nicely, or they will order the company to hand it over.
- Keep a record of data management practices.
Maintain accountability by documenting data processing procedures thoroughly, including everything important to the company’s data processing workflows. Document all data activities and why the company does them. Also think about keeping a library of internal policies and procedures (accountability mechanisms) that explain how organizations meet compliance requirements. Keeping organized policies and processes leads to consistent operations, which brings proper compliance. When companies have compliance, trust follows and brings (more) positive communications with regulators.
- Make privacy compliance transparent.
Share how the company adheres to privacy laws. Document compliance. Show regularly how the company complies with laws, and it will tend to have a successful compliance program and response to regulators. Share how the company reviews ongoing compliance and maintain records that are current to substantially reduce risk of a GDPR fine.
- Automate privacy management.
Privacy management tools that offer automated risk analysis and assessment help companies comply with privacy laws. Artificial intelligence helps with strategic decision-making and scans documents to make sure the company complies with global regulations. It can also deliver efficiencies by reducing redundancies in evidence gathering and deliver assessments on whether privacy laws are relevant to the company’s systems and data.
Cooperate with the DPA when the company gets questions, be transparent toward the target audience, customers and employees, and have an accountable privacy management program. Put forth a genuine effort to comply with documentation and compliance reviews, and the authorities will take good faith efforts into account. That way the company can reduce its risk of incurring hefty fines from regulators.
K Royal, associate general counsel and DPO; Paul Breitbarth, director, Global Policy and EU Strategy, TrustArc