Legal & Compliance
This is an unprecedented time of data privacy controls and audits. From the impacts of the release of GDPR from the European Union, to individual state statutes such as CCPA, Kierstone has mobilized our Data Privacy experts across multiple industries and understand how to fully implement these regulatory changes across Global enterprises, or local businesses.
What we do:
Consultation and program delivery on a range of regulatory change and compliance projects.
- General Data Protection Regulation (GDPR) compliance
- US State level Data Privacy regulations & data breach notification laws
- Data Privacy reviews and remediation
- Risk management strategy
- 3rd Party compliance checks & remediation
GDPR 2020-2021 Updates
Since GDPR came into effect in 2018, we witnessed high profile companies being fined due to non-compliance. 3 years on and companies are still falling foul of non-compliance, and facing hefty fines.
According to research from DLA Piper, between January 26, 2020, and January 27, 2021:
- GDPR fines rose by nearly 40%
- Penalties under the GDPR totaled €158.5 million
- Data protection authorities recorded 121,165 data breach notifications (19% more than the previous 12-month period)
The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), recently published data covering July 1, 2020, to October 31, 2020. The ICO’s data shows:
- The ICO received 2,594 data breach notifications.
- The most common cybersecurity incident was phishing.
- As usual, the most common cause of data breaches was misdirected email.
Recent Use Cases
1. Google – €50m
Although Google’s fine is technically from 2019, the company appealed against it. In March 2020, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty.
How could this have been avoided?
Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed.
2. H&M — €35m
On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35m — the second-largest GDPR fine ever imposed.
H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.
Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.
How could this have been avoided?
Just don't do this.. seriously! H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.
H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.
3. TIM – €27.8m
On January 15, 2020 Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.
TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.
How could this have been avoided?
TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.
4. BA – €22m
In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than $238 million dollar fine that the ICO originally said it intended to issue back in 2019. So, what happened back in 2018?
British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log in details, payment card information, and PI like travellers’ names and addresses.
How could this have been avoided?
According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, they didn’t even have basics like multi-factor authentication in place at the time of the breach. Going forward, the airline should take a data-first security approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.
5. Marriott – €20.4 m
While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened? 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. PI like guests’ names, addresses, passport numbers, and payment card information was exposed.
Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.
How could this have been avoided?
The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategyand utilized de-identification methods.
6. Wind — €17m
On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.
The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe.
The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.
How could this have been avoided?
Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could demonstrate that sending marketing materials was in its “legitimate interests.”
For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date.
7. Google – €7m
2020 was not a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017.
How could this have been avoided?
How could this have been avoided?Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”
8. BBVA (bank) — €5m
This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.
The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month.
Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions.
How could this have been avoided?
The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages.
The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. Business X.png