Time to look beyond GDPR compliance in your privacy journey

in Regulatory/Compliance, 28.10.2019

In its 2018 annual report, the CNPD (National Commission for Data Protection) outlines its activities following the entry into force of GDPR in May of the same year.

Join us as we take a closer look at some of the key findings impacting every organization’s privacy journey.

Individuals’ rights: the number of complaints has more than doubled

In 2018, the CNPD received 450 enquiries (compared to 200 the previous year). This sharp rise not only indicates that people are feeling increasingly concerned about their privacy, but that companies are failing to adequately address these concerns – and provide straightforward, easy-to-understand responses.

So, what are the top three concerns?

  1. Denied access to data (24%)
  2. Request to delete or rectify data not carried out (16%)
  3. Lawfulness of the personal data processing activities (15%)

In an era where transparency and the rights of individuals should be at the center of privacy programs, these telling figures show that it is still work in progress.

It is worth remembering that companies must be prepared to handle such requests. The “wait-and-see” approach just won’t cut it given the 30-day response time imposed by GDPR. For requests to be handled appropriately, a multitude of questions must be taken into account: Is the DPO timely involved throughout the process? Are response times monitored? How is the legitimacy of the request ensured? Were test cases performed? The list goes on.

Data breaches: basic errors could spell serious consequences

Between May and December 2018, 172 data breaches were reported by the CNPD. The main culprits?

  1. Non-malicious, internal human error
  2. Hacking

Did you know that roughly half of all data breaches are due to personal data being sent to the wrong recipient? This means that organizations can invest in security processes, procedures and monitoring tools (access control, data leak prevention etc.), but the first vector of security breach remains the employee.

While human behavior can certainly not be error-free, it is crucial to train the staff on security and privacy topics and create awareness among employees. It really does pays off in the end.

Data privacy and data security are intrinsically linked. Serious threats including phishing and installation of untrusted software may lead to the compromise of an organization’s information system, and result in severe consequences such as fines from regulators and loss of brand reputation. Organizations must ask themselves if their employees are aware of such threats, and if they are equipped to handle data breach situations.

Monitoring and control Data Protection Authority audits

In 2018, the CNPD carried out 12 on-site investigations focused on video surveillance, geo-tracking, advertising and marketing. These controls were based on a proactive or reactive approach, depending on what triggered them (incidents, complaints, etc.). In addition, 25 audits have been conducted on the theme of the Data Protection Officer role (appointment, tasks, responsibilities, etc.).

With the ongoing support of the European Commission, which supports national data protection authorities in their efforts to reach out to stakeholders, the CNPD will continue to strengthen its enforcement of the data protection rules.

Are you on track in your privacy journey?

Have you assessed the current readiness of the organization to undergo an inspection or an investigation? Have you conducted mock-audits? Have you considered GDPR certifications as a tool for demonstrating compliance? These are just some of the tasks you’ll need to add to your checklist.

Get in touch with us! Our team of experts is on hand to help you ask all the right questions.

This article was written together with Estefania Rizzo.


Leave a Reply

This blog is pre-moderated which means that all comments are reviewed by a moderator before they appear. KPMG reserves the right not to publish any comments made.