Businesses are at a high risk to violate data privacy if they don’t embrace a threefold perspective of the General Data Protection Regulation, formed by legal, technical and business points of view. The article below dissects how ignoring that led to the breach cases of the first two years of GDPR — and what we can learn to avoid making the same mistakes.
Technical & organizational measures in perspective
By reflecting on data privacy breaches of the early years since the General Data Protection Regulation (GDPR) came into force, in May 2018, both law practitioners and professionals from the technical and business areas, develop a more critical perspective on upcoming challenges. It is necessary to understand the pitfalls and neglect that led some companies to prepare themselves insufficiently or leniently, despite the two-year period between adoption by the European Union and the enforceability of GDPR. Through the following case studies, practical measures will be recommended to assist in the correct adoption of data protection laws.
To achieve this purpose, a threefold perspective is suggested: legal, technical, and business.
Even among lawyers who have been working for years with data privacy and are fully familiar with the main concepts of data processing, some technical and practical intricacies are not part of their daily lives. For professionals in the technical areas of data processing, the most complex machine languages can seem trivial if compared to some legal expressions. Added to this, there is the interest of companies to prosper and meet their business needs. Therefore, all these perspectives need to dialogue so that the most important figure in this scenario is respected: the subject to which the personal data and the right to privacy belong.
Such an analysis becomes even more relevant as countries in other regions of the world adopt legislation similar to the GDPR. In Brazil, the General Law on the Protection of Personal Data (LGPD ) was approved in the same year that the GDPR came into force, and is expected to come into effect in 2020. The global trend is to develop specific legislation for data protection and privacy of its citizens.
Although the GDPR mentions several times the need to adopt appropriate technical and organizational measures, it is notorious that in none of the articles of the regulation such measures are expressly defined. For this reason, in the two-year period between the approval of the last version of the GDPR text and the moment when it became mandatory, companies had to decide their measures to adapt to the new data protection reality, without such measures having been specified. The main bases for their choices were the responsibilities listed for the figures of the controller (controller), processor (processor), and the data protection officer (Data Protection Officer, or DPO), in addition to the interpretation of the principles listed in Art. 5 of the GDPR.
Some of the measures taken by most companies were more prone to failures, which led to the first cases of data breach under the GDPR in the early years.
The main hypothesis explored in this brief study is that the risk of failure of these technical and organizational measures is associated with the lack of a holistic interpretation that encompasses the threefold perspective suggested here, that takes into account legal, technical and business aspects. The critical reflection on the technical and organizational measures already adopted, together with the study of real cases of breaches of data privacy, helps to better outline the measures that must be taken from now on.
Precautions commonly adopted by companies for GDPR compliance are:
- Asset management
- Access control (physical and virtual)
- Data pseudonymization 
- Control of data transfers, mainly to countries outside the European Economic Area (Art. 44 to 50 of the GDPR)
- Data recovery methods
- Security measures for remote access
- “Bring your own device” policies (BYOB)
- Clean working environment policy (screen and desk)
- Safe data disposal methods
- Mandatory GDPR training for employees
- Guarantee of the subject’s express consent before the collection of personal data
- Audit of personal data collection inventory
The propensity to failures is due to negligence with the practical application of the principle of data protection by design and by default (Art. 25 of the GDPR). This principle means incorporating data protection as a rule since the beginning of the development of products, services and business practices, as a way of minimizing the subsequent effort with the guarantee of data privacy. In turn, the carelessness with the principle of data protection by design and by default seems to be rooted in the lack of dialogue between legal, technical and business perspectives.
For example, it would not be surprising that a lawyer, when assisting a company to inventory its personal data collection, did not have sufficient practical technical experience with computer engineering to ensure that it went down to the lowest levels of data recording (log level data). Likewise, a data technician may not be aware that IP addresses are considered personal data, as they are not as obviously personally identifiable information as personal names or e-mail addresses. A company director, who did not have extensive legal or technical knowledge, but knew the relevance of obtaining certain personal data for the activities of his company, could accept without much questioning the legal and technical interpretations that were more favorable to the continuity of his business as it is, in order to avoid unnecessary costs. It is evident that, without a holistic perspective, a company guided by professionals like these, even if all were well intentioned and competent in their respective areas, is bound to breaches of data privacy.
Companies that were less rigorous in adapting to the GDPR prepared themselves insufficiently or leniently, and therefore took greater risks of committing data breaches.
This careless attitude towards adapting to the new data protection rules can stem from several factors. To understand the scenario of the first cases of GDPR, it is worth doing a brief investigation of hypotheses about the factors that led to the companies’ negligence with the personal data collected.
Building the threefold perspective mentioned above is challenging for any company, either because they do not find many professionals who have sufficiently deep multidisciplinary knowledge, or because of the difficulties in communication between professionals in the different areas. However, it is expected that this mismatch is mitigated quickly. The International Association of Privacy Professionals (IAPP) estimated in a 2017 study that the GDPR would create a need for at least 75k data protection officers, while more recent research indicates about 500k organizations with such professionals registered under the GDPR criteria . Many of these professionals seek proficiency certificates in data privacy, such as CIPP-E and CIPM, which can be obtained by professionals in any area, and help to standardize the minimum legal and technical knowledge about personal data protection.
There was also a belief that large corporations, especially those already known for public inquiries about their data collection policies, would be the most obvious prosecution targets for personal data breaches based on the GDPR. In fact, the McKinsey & Company consultancy found in a 2019 survey that consumer trust in companies that collect their data varies significantly according to factors such as industry and how companies limit the use of personal data . However, even though the probability of each company to end up involved in a data breach investigation or lawsuit varies, no company is exempt from GDPR scrutiny, and for that it is enough that a single person identifies that their personal data protection rights have not been respected.
Besides, with ever faster advances in data collection and storage technology, companies have long collected personal data simply because they could. As a result, the people who ran these businesses felt entitled to collect as much data as possible. The GDPR makes it clear that the processing of personal data must follow, among other guidelines, the principle of minimization (Art 5.1.c of the GDPR), according to which personal data must be limited to what is necessary for the purposes for which they were processed. This demands assessing the company’s needs in a restrictive manner, which requires time and business knowledge.
Many companies may have been lenient with the principle of minimization due to a sense of impunity.
Market research group Kantar TNS found that less than six months before GDPR came into effect, only 34% of respondents knew what GDPR was about . Most of the population was not fully aware of their rights guaranteed by the GDPR, which reduced the likelihood of data privacy breaches being discovered.
Learning from the earliest GDPR data breach cases
It is in this scenario, of lenient interpretation and insufficient preparation of the companies, that the earliest cases of data breaches under the GDPR occurred.
Sloppiness with data storage is a nightmare for both information technicians and business owners. It was a data privacy breach caused by this type of failure that motivated Germany’s data protection authority (DPA) to determine the country’s first fine  under the new rules, still in 2018, the year the GDPR came into force. The penalized company is only known to be a social media provider, not identified in the German authority’s press release. The company informed the DPA and affected users of a security breach when it discovered that passwords were stored in a text file. Such violation, based on the rules of processing security (Art. 32 of the GDPR), resulted in a €20K fine. After a case like this, companies should audit their password security and storage policies so as not to commit similar violations.
In addition to the storage methods, the lack of appropriate internal policies for data disposal can also cause problems. In 2019, the Danish DPA , based on the principle of data minimization (Art. 5.1.c of the GDPR), fined a company  that kept personal data in its systems beyond what was necessary. In the country’s largest taxi company app, Taxa 4x35, although users’ names were deleted from their systems 2 years after registration of rides, the rest of the information recorded about the ride remained on the systems. As a result, telephone numbers, which could be used to identify users, were kept in the taxi company’s systems, even after the names were deleted, well beyond the period stipulated for the company to keep the personal data necessary for the exercise of its activities. In this case, the fine amounted to DKK1,2M, equivalent to approximately €160K . Many companies that interpreted the principle of data minimization only with regard to collecting the minimum personal data necessary for their activities, may not have been aware of another aspect of this principle, just as the Danish company, being necessary to review the period during which they can continue processing that data.
Even before starting any type of processing, it is necessary to obtain consent from the subject to which the personal data refer (Art. 4.11 and Art. 7 of the GDPR), and negligence with this consent can have serious consequences. The data protection authority of France  fined Google in 2019  for two reasons: first, for failing to report its data protection measures in an easy and accessible way, with clear language, when users set up their Android mobile devices; and second, for failing to obtain users’ consent to process their personal data for the purpose of personalizing marketing advertisements. The lack of transparency or adequate information and lack of valid consent on ad personalization resulted in a €50M fine. The data technology for marketing has evolved fast in the past decade, to facilitate relevant communication between companies and consumers, but companies’ data protection officers need to keep in mind that the GDPR requires that the user consent is clear, specific and unequivocal about the purpose of processing personal data.
Google’s case analyzed by the French DPA in 2019 is also relevant from another aspect, as it involved data processing in different countries. For situations like this, the GDPR has introduced a “one-stop shop” mechanism (Art. 60 of the GDPR) that ensures collaboration between data protection authorities from different countries, to ensure that data privacy breaches are handled consistently across the European Union. In case of data being processed by a company in different countries, the data protection authority competent to lead the matter with the other authorities involved should be the country of the central administration of the company that processes the data. Although Google’s headquarters in Europe are in Ireland, the Irish DPA  considered that Google had not yet met the criteria for establishing its data processing headquarters in the country, so its headquarters in the United States of America was still responsible for processing EU users’ personal data, not their Irish unit. As a consequence, the data protection authority of France was considered competent, as well as other data protection authorities.
In the United Kingdom, there have also been cases investigated by the data protection authority under the GDPR. Although the UK has passed its own internal legislation  similar to the GDPR, in the context of Brexit , the application of the GDPR was confirmed for a transitional period until December 31st of 2020. The case of British Airways is a good reminder not to underestimate the thoroughness necessary in the data security measures. The UK DPA  announced  its intention to fine the company in £183M (about €200M) for a data leak in September 2019. In their investigation, the authority found that the breach occurred due to inappropriate security practices, and included login details, payment card, travel scheduling details, customer names and addresses.
Another case from the United Kingdom shows how some companies’ understanding of the principle of data protection by default and by design (Art. 25 of the GDPR) is still quite limited. The investigation by the UK DPA over the international hotel chain Marriott  focused on a data leak that occurred in November 2018. It was found that the Marriott chain did not take appropriate precautions when it acquired in 2016 the Starwood hotels group, whose systems had already been compromised in 2014. The fine was estimated at £99M (about €110M). This case shows how the principle of data protection by default and by design not only guides incorporating respect for privacy since the beginning of the development of new products and services, but also demands care with data privacy in all actions of a company, permeating all technical, legal and business decisions. It is also interesting to note that some data protection experts pointed out in early 2020 the likelihood of postponing the decisions of both UK cases mentioned, in addition to a possible mild application of the fines, due to the economic crisis of covid-19 in 2020 .
The last case studied indicates that there is still some difficulty in adjusting business interests so that the right to privacy regarding personal data is respected. The Royal Dutch Lawn Tennis Association  sent personal data of its members to sponsors, including name, gender and address, for the purpose of carrying out marketing activities related to the practice of tennis and other offers. However, this act does not fit in the processing of personal data for direct marketing that is carried out for a legitimate interest, as described in Recital 47 of the GDPR. The Dutch DPA  found that the association had no basis in data processing principles for sharing its members’ personal data with sponsors . Although it argued that the interests were legitimate, the association was fined €525K.
The cases briefly described above show the practical application of GDPR in different industries, in companies of varying sizes, and involving different principles of personal data protection.
These are the earliest cases that should assist the application of the GDPR in the future, whether in the application of the principles in other cases, in the review of each company’s compliance with GDPR, and even to support the interpretation of similar principles included in data protection laws around the world.
After reflecting on the lessons learned from the earliest GDPR cases, the next step is to review the adequacy of technical and organizational measures, under the proposed threefold perspective, to build better guarantees for the protection of personal data for the future. These final considerations therefore aim to help professionals in the technical, legal and business areas, and whoever works with data privacy.
The case studies indicate that lenient interpretations of data protection principles create high risks of violating data subjects’ rights, with severe consequences for the businesses: high fines  and exposure as companies that do not respect consumer privacy.
In order to adopt more adequate interpretations of the GDPR, it is necessary to build the threefold perspective. The legal point of view brings an understanding of the legal processes and consequences, and should guide rigorous compliance with the GDPR. The technical side needs to dive into the concepts and details of the processing of personal data that are beyond the knowledge reach of non-technical professionals, and make knowledge about data processing more accessible, as well as guide the adjustment of technical processes to comply with the personal data protection. Finally, the business point of view must balance the actions that allow business continuity, seeking both to preserve and innovate the practices that make the business possible, always guiding its decisions by respecting privacy and good data protection practices.
In more practical terms, even companies that have prepared for the GDPR to come into force, in the best possible way within their capabilities, need to review how they will act from now on, continuing to adjust to the data protection expected. This starts with a periodic review of the personal data inventory, as well as its processing methods and parameters. For this, technical teams need to receive adequate support, which involves time to carry out this assessment, training, conversations with legal and business representatives, and support in the adequacy decisions. In addition, it is advisable to adopt the maximum possible guarantees for data protection, given that certain adequacy parameters are subject to review . This is the way for companies to align themselves with the principle of data protection by design and by default, as well as other data privacy principles. Obviously, making the company “GDPR-proof” has a cost, but fines for data privacy breaches and their negative repercussions cost businesses a lot more, and the risks of incurring in breaches are not as low as some companies had evaluated at first.
This adequacy review effort needs to accentuate the threefold perspective, making the technical, legal and business sides dialogue.
Who are the representatives of each area? How often do they communicate? What are the questions they need to ask each other to increase understanding of how to be a company that adequately protects personal data? Does everyone understand the consequences and procedures associated with data breaches? Are there technical details that can generate any debate about the adequacy of the processing of personal data in relation to the GDPR? What are the consequences for the business if you need to interrupt or change the processing of personal data? There are many other questions to be discovered and explored when building and developing the threefold perspective that should guide data protection. Such questions will become increasingly clear as companies adopt the threefold perspective for their data protection future.
Notes and references
 Lei Geral de Proteção de Dados Pessoais (LGPD)
 The principles listed in article 5 of the GDPR are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability.
 Pseudonymising means treating personal data in such a way that the subject of the data can only be identified using complementary information, maintained separately. For example, replacing personal names with numeric codes, with a key kept separately that allows identification. Pseudonymised personal data is protected by the GDPR. It should not be confused with anonymous data, which is not considered personal data, as it is not identifiable with any additional information.
 Fennessy, C. Study: An estimated 500K organizations have registered DPOs across Europe. The Privacy Advisor. 2019. Available in: https://iapp.org/news/a/study-an-estimated-500k-organizations-have-registered-dpos-across-europe/ Accessed in: August 2020.
 Anant, V. e outros. The consumer-data opportunity and the privacy imperative. 2020. McKinsey & Company Business Functions. Available in: https://www.mckinsey.com/business-functions/risk/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative. Accessed in: August 2020.
 Cooke, K. Data shows awareness of GDPR is low amongst consumers. 2018. Kantar UK Insights. Available in: https://uk.kantar.com/public-opinion/policy/2018/data-shows-awareness-of-gdpr-is-low-amongst-consumers. Accessed in: August 2020.
 LfDI — Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg.
 Hanssen, H. e Schuppert, S. Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR. 2018. Available in: https://www.hldataprotection.com/2018/11/articles/international-eu-privacy/data-protection-authority-of-baden-wurttemberg-issues-first-german-fine-under-the-gdpr. Accessed in: August 2020.
 Official Press Release: LfDI Baden-Württemberg verhängt sein erstes Bußgeld in Deutschland nach der DS-GVO. 2018. Available in: https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo. Accessed in: August 2020.
 Bloomberg Law. Denmark Recommends First Fine Under New EU Privacy Law. 2019. Available in: https://news.bloomberglaw.com/privacy-and-data-security/denmark-recommends-first-fine-under-new-eu-privacy-law. Accessed in: August 2020.
 Official press release: Datatilsynet. Tilsyn med Taxa 4x35’s behandling af personoplysninger. 2019. Available in: https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/mar/tilsyn-med-taxa-4x35s-behandling-af-personoplysninger. Accessed in: August 2020.
 Conversion of Danish kroner to euros calculated in August 2020.
 CNIL — Commission Nationale de l’Informatique et des Libertés.
 The Council of State confirms the sanction imposed on Google LLC. CNIL. 2020. Available in: https://www.cnil.fr/en/council-state-confirms-sanction-imposed-google-llc. Accessed in: August 2020.
 Data Protection Commission.
 Data Protection Act 2018 e UK-GDPR 2020.
 United Kingdom’s decision to leave the European Union.
 Information Commissioner’s Office (ICO).
 Intention to fine British Airways £183.39m under GDPR for data breach. Information Commissioner’s Office. 2019. Available in: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/. Accessed in: August 2020.
 All conversion of British pounds to euros in this study was calculated in August 2020.
 Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. Information Commissioner’s Office. 2019. Available in: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/. Accessed in: August 2020.
 Muncaster, P. ICO’s BA and Marriott Fines Likely to Be Pushed Back Again. InfoSecurity Magazine. 2020. Available in: https://www.infosecurity-magazine.com/news/icos-ba-and-marriott-fines-pushed/. Accessed in: August 2020.
 Koninklijke Nederlandse Lawn Tennis Bond (KNLTB).
 Autoriteit Persoonsgegevens.
 Boete voor tennisbond vanwege verkoop van persoonsgegevens. Autoriteit Persoonsgegevens. 2020. Available in: https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-tennisbond-vanwege-verkoop-van-persoonsgegevens. Accessed in: August 2020.
 The fines can amount to €20M or 4% of the company’s worldwide turnover in the preceding financial year, whichever is higher (Article 83.5 of the GDPR).
 For example, both Safe Harbor and its replacement Privacy Shield, agreements designed to ensure adequate levels of privacy protection for data transfers between the European Union and the United States of America, have been invalidated in the judgment of the cases known as Schrems I and II. The Privacy Shield was invalidated in July 2020 without a grace period, forcing companies to suspend data transfers that were backed only by the Privacy Shield, in addition to needing to adjust as quickly as possible their guarantees with the standard contractual clauses created by the European Commission.