Shoosmiths LLP
  November 3, 2023 - Milton Keynes, England

GDPR compliance: Should you sweat the small(er) stuff?
  by Shoosmiths LLP

A recent data protection fine highlights the risks of getting a few key things wrong.

Fines for large data security breaches always grab press attention, however a recent €600,000 fine from the French data protection regulator (the CNIL) brings into sharp focus the risks for businesses when they get a few key things wrong without any catastrophic failures amongst them. It highlights that all organisations need to think about where the weaknesses sit in their compliance programme, or potentially face a similar fate.

The CNIL received 31 complaints against media group CANAL+ for its marketing activities and response to data subject rights requests. This led to a full investigation into the CANAL+ website and an audit of its privacy compliance, as a result of which the CNIL found infringements of the EU GDPR and French Post and Electronic Communications Code. 

Once under the microscope, the company fully co-operated with the extensive investigation which included consideration of its policies, supply chain contracts and arrangements, marketing activity, website activity and dealings with the regulator. The investigation was opened in January 2021 and has only just concluded. 

It must have been a trial for the company, but for others it provides an object lesson and warning about the importance of investing wisely in targeted compliance activities to avoid a much more costly exercise when it’s too late. 

CNIL’s findings

The CNIL found the following breaches:

This was not a question of systemic failings or blatant disregard for rules. CANAL+ had attempted to undertake all their activities in a compliant manner. But, as the French saying goes: “small streams make a river”, and once it started looking closely, the CNIL found failings in each one of these areas which added up to a significant fine. This will no doubt have come on top of some hefty management and legal costs. 

Key takeaways

The ruling will cause alarm bells to ring for any company that thinks it has a robust and compliant privacy programme. So when thinking about de-risking, these are the key lessons companies can learn from the ruling:

Be careful of direct marketing and DSARs. Complaints about unsolicited marketing and careless data subject rights responses were enough to trigger a painful trawl into every area of privacy compliance. 

Lots of relatively minor breaches make a major problem. None of the breaches were severe, and there was no question of “structural failure”. Nevertheless, the CNIL found breaches at every level and it’s the cumulative effect of minor problems which seems to have caused the fine. 

Policies and procedures matter. The regulators will look at the fine print and are ready to pick up on any deviation from the rules which they consider material. Privacy policies are a central area of risk.

No contract too small. The breach of Art. 28(3) GDPR rested on a single non-compliant supplier contract.  Renewal of existing contracts without updating privacy terms is the classic pitfall. 

Liability cannot be subcontracted. Regulators repeatedly point out that blaming a supplier for not managing marketing consents properly will not wash. The same goes for all controller compliance.

Decisions not to notify a data breach need special care. The company assessed the right guidelines but made the wrong call. Getting experienced advice, and recording judgements carefully, are the best defences.  




Read full article at: https://www.shoosmiths.com/insights/articles/gdpr-compliance-should-you-sweat-the-small-er-stuff