No Match Found
The General Data Protection Regulation (GDPR) has been in force for three years and like with any similar regulation, the level of regulatory risk it poses is linked to its enforcement in practice. During 2020, 38 cases were investigated by the Information and Data Protection Commissioner (IDPC). While the number of data breaches investigated to the IDPC has been increasing exponentially, these only represent a portion of cases reported to the IDPC. Reporting a data breach is an important obligation imposed by the GDPR though in practice, this will always be preceded by a risk assessment determining whether the incident is in fact a reportable breach or not.
Sanctions for GDPR violations are dependent on data sensitivity, the number of data subjects involved, the breadth of exposure and the detriment potentially suffered by data subjects. The attitude and practices within an organisation are also considered - a nonchalant approach to data protection or repeated offences is likely to lead to higher penalties. Continued compliance in this respect requires businesses to assess the GDPR related impact of technical advancements, new equipment, operational improvements and other changes, on an ongoing basis.
Fines for non-compliance with the GDPR regulations should be “...effective, proportionate and dissuasive…” and applied on a case by case basis. The maximum fines are calculated as a portion of a defaulting organisation’s global annual turnover and can vary between: the higher of 2% of turnover or €10 million for less critical infringements; and the higher of 4% of turnover or €20 million for more serious ones.
The fines issued in Malta do not come close to the millions of Euros worth of fines imposed throughout the EU. However, this does not seem to reflect a relaxed application of the Regulation locally but rather, that the extent of data processing carried out by local smaller enterprises typically does not compare to the level of data processing carried out by larger multinational organisations.
An overarching goal for all organisations must remain that of ensuring that a high level of security is applied to personal data collected. This by having in place necessary procedures that limit the data being processed to that which is strictly required aligned to the purpose at hand. Sufficient technical and organisational measures must be put in place to protect data from any unauthorised access by ensuring that data is only accessible to the relevant personnel whilst managing the storage of data in a lawful manner.
Furthermore, the interplay between data protection, information security, privacy, cybersecurity and anti money laundering legislation in the current regulatory environment makes it all the more important for organisations to obtain specialist guidance to ensure that clients’ and employee information is processed and stored appropriately. Data protection audits periodically reviewing an organisation’s data processing activities play a pivotal role in managing compliance risks in this area.