TheCorporateCounsel.net

June 4, 2021

GDPR: Regulatory & Enforcement Trends

This 20-page memo from Baker Hostetler takes a deep dive into data security and incident response plans. It gives 14 key takeaways on the front page that are worth checking out. Since we’re on the topic of GDPR today, I’ll highlight the EU regulatory update from page 13. Here are a few nuggets:

Timing Is (Still) Everything – Much of the focus on GDPR’s notice obligations has been on the 72-hour deadline for notifying a data protection authority (DPA). While some DPAs accept delays accompanied by explanations, others take a much narrower view of the permissible bases for extending the deadline. In particular, the Dutch DPA has taken a hard stance that the need to further investigate the incident and its effects is not a sufficient reason for delayed notice. Several other DPAs, including in Ireland and Sweden, fined companies for failing to notify within the 72-hour deadline. Companies subject to the GDPR should be prepared to move quickly to make an initial, timely notification that may require follow-up once a more complete analysis is ready.

Data Controller Responsibility – DPAs tend to have the greatest interest and assess the largest fines in incidents where the DPA finds fault with the company’s responsibility for EU personal data, particularly where there are repeat data breaches. In particular, DPAs have assessed how companies — identify and respond to data breaches, implement and maintain organizational and technical measures to safeguard personal data, assess third-party vendors, conduct data protection-related risk assessments, and document data breaches.

Mitigating Circumstances – DPA enforcement actions in 2020 drew particular attention to a number of mitigating factors in determining fines, and we expect these to be of continuing relevance this year – financial hardship, actions taken to minimize harm to individuals, cooperation with the DPA, appropriate notice to the regulator and individuals, other fines already imposed for the same incident, and absence of prior violations.

The memo also predicts that enforcement will expand during 2021 because more countries are implementing data breach notification procedures. But, since DPAs are just as overworked as the rest of us, they seem less likely to follow up on incidents that involved a small number of individuals or less-sensitive personal data, or companies without a significant EU footprint. Here’s a checklist for compliance for US companies.

Liz Dunshee