gdpr new ruling blog

Why a New Legal Ruling Could Intensify GDPR Compliance

December saw one of the biggest changes to European data privacy regulation in recent memory. After a request from German and Lithuanian courts, the European Court of Justice (ECJ) issued a new ruling to clarify when and how regulators can fine companies for breaking data privacy laws.

Legal and security experts argue the ruling will make it easier for regulators to enforce data protection regulations, potentially leading to higher GDPR fines. As a result, there’s increased pressure on compliance teams to ensure their firms are storing and processing personal data in a legal manner.

Regulatory Impact

In Germany, regulators fined real estate firm Deutsche Wohnen €14.4m for storing customer data for longer than needed. Meanwhile, the Lithuanian court had fined the country’s National Public Health Centre €12,000 and its IT service provider €3000 over a Covid-19 contact tracing app which violated the GDPR. Both organisations contested the fines, leading local courts to request clarity from the ECJ on the matters.

It ruled that data protection regulators can only impose GDPR fines for “wrongful conduct”, whereby a company has “intentionally or negligently” violated GDPR. And when fining an organisation, regulators must calculate financial penalties based on its parent group’s annual turnover, if applicable.

Since the ECJ made its landmark GDPR ruling, there’s been much speculation about how it’ll impact data regulations across Europe. Breaking down the decision, Ensurety managing director, Keith Budden, explains that it has two main dimensions.

Firstly, he says regulators can issue GDPR fines even if they can’t determine how one person’s actions caused a data breach. Secondly, he explains that companies could face regulatory action if an individual or organisation representing them, such as a sub-processor or an individual contractor, violates data protection rules.

“It will become easier for regulators to impose a financial penalty on an organisation,” he tells ISMS.online. “And the breadth of liability has increased, in that it has cleared the way for a data controller to be fined, even when the breach of GDPR regulations is limited to the activity of one of its data processors, or indeed one of their sub-processors.”

Kelly Indah, a security analyst at Increditools, believes that the ECJ’s December ruling will “significantly” strengthen the way in which regulators enforce data protection rules.

“According to the ruling, regulators have more leeway to levy fines that are meaningful deterrents, rather than capped at a certain percentage of annual turnover,” she tells ISMS.online. “Additionally, the decision streamlines regulatory processes so authorities can act swiftly when non-compliance is discovered.”

Irwin Mitchell partner and data protection expert Joanne Bone is more sceptical of the ruling’s overall impact.

“Whilst this may expand liability in jurisdictions where supervisory authorities had to prove that management were at fault to fine a company or organisation, this ruling will come as no surprise in the UK,” she tells ISMS.online.

“In my view, it has not substantially shifted the landscape in respect of fines under EU GDPR.”

Bone says the ECJ’s recent decision will not result in stricter liability, meaning authorities can only impose fines when they find some wrongdoing. She adds: “It is now clear that there needs to be intentional or negligent conduct on the part of the company or organisation.”

The Importance of Compliance

However, the ruling could still put more pressure on companies to ensure they have adequate data protection policies and processes in place. In particular, companies will need to implement a range of policies, procedures and controls to help their staff handle data without violating data protection rules, argues Bone.

“Not only will procedures need to be put in place but they will need to be rolled out, adhered to, and policed by organisations,” she adds.

Increditools’ Indah explains that adopting an information security management system (ISMS) that follows international cybersecurity standards such as ISO 27001 can be a big help in this regard.

“This provides a systematic, auditor-friendly way to ensure all aspects of data protection compliance get addressed continuously through review and improvement,” she says. “With regulators coming down harder, demonstrating a commitment to stewardship through certification can only help demonstrate good faith efforts.”

Indah takes the view that it’s no longer enough for organisations to treat data protection as a tick-box compliance task. She says organisations must perform regular internal and external data protection audits, train employees on handling data responsibly, and demonstrate leadership-level commitment to understanding the latest data protection regulations.

“Rather than fearing higher fines, companies would do well to embrace robust security practices as a competitive opportunity and business enabler,” Indah adds. “After all, the alternative risks reputational damage, regulatory penalties and loss of customer trust – which in the long run could impact the bottom line much more severely.”

Ensurety’s Budden urges companies to keep updated records of their data processing activity and provide staff with data protection training, in order to meet their regulatory data protection requirements. Other tasks include implementing all required data policies and procedures, completing up-to-date data protection impact assessments, and ensuring they have adopted all technical and organisational measures laid out by regulators.

Vance Tran, co-founder of Pointer Clicker, agrees that ISO 27001 provides a good baseline for adhering to data protection regulations. But he says organisations can expand on this by adopting privacy technologies, DevSecOps models and a privacy-conscious company culture.

He adds: “I see this ruling as an opportunity. By prioritising ethical, user-centric solutions up front, developers can not only meet legal rules but also build real user trust. It’s an exciting chance to help create systems founded on privacy and consent from the ground up.”

In today’s highly digitised economy, businesses are handling an ever-growing amount of personal data. While this data is useful for better understanding and targeting customers, it puts businesses at risk of hefty fines if they don’t strictly follow data protection rules.

 

Explore ISMS.online's platform with a self-guided tour - Start Now