An $888 million fine against Amazon for alleged privacy violations of the European Union's General Data Protection Regulation (GDPR) has left many organizations wondering how they can protect themselves from similar compliance violations. The case focuses on how Amazon collects and uses personal data associated with the tech giant's EU headquarters in Luxembourg, according to Bloomberg.
The penalty that the Luxembourg National Data Protection Commission (CNPD) has proposed against Amazon surpasses the steepest GDPR fine to date, a $56.8 million penalty imposed on Google in France for its data-consent policies. In February, Marc Lemmer, a commissioner at the Luxembourg data protection agency, told Politico that the organization was not focused on hefty fines. "The aim is not to have big sanctions — the aim is to have a change in culture," Lemmer said.
Adopted by the EU in April 2016 and officially implemented in May 2018, GDPR aims to give individuals more control over how companies process their personal data. In 2020, we saw several fines in big tech stemming from GDPR — the 625 known fines issued as of May 2021 totaled $283 million in penalties.
The CNPD outlined a draft decision and proposed a fine for the GDPR violations, among 26 other national authorities in the bloc. The proposed fine provides an opportunity for companies to learn how to avoid similarly hefty penalties stemming from privacy violations as we start to see more fines with larger dollar amounts — fines that can total up to 4% of a company's annual revenue, the maximum allowed under the GDPR.
Following are four steps organizations should take to reduce the risk of privacy fines from GDPR:
Document Your Data Processing Procedures
Establish accountability by keeping a record of processing operations and document every step you take and everything you consider relevant as part of your data processing operations. Whatever you do with data, document what you are doing and why you are doing it.
Consider also keeping a library that contains internal policies and procedures, and spells out how the company meets the requirements set up in the law. These policies and procedures are called accountability mechanisms. Written policies and processes facilitate consistency. Consistency breeds compliance. Compliance breeds trust — and leads to positive interactions with regulators.
2) Leverage Your Privacy Team
Keep your privacy team in the loop regarding development of new products and services. Involve the privacy team in a timely manner in compliance efforts and rely on a qualified privacy officer or data protection officer. Follow the privacy officer's advice so that sensitive data will not slip through the cracks. Your privacy team can also provide compliance training to help reduce the risk of steep fines and drive privacy awareness.
3) Share How You Comply With Privacy Laws
Document your compliance. Being able to demonstrate on an ongoing basis how you comply with laws is what will make your program — and your response to regulators — successful. Complying without being able to demonstrate it means you have little to nothing to send or show regulators if requested. Sharing your processes on how you review ongoing compliance and keeping your records up to date can greatly reduce the risks of violating GDPR. Automated risk analysis and assessment management can help you review compliance. Knowing what regulations call for, doing what is required, and proving you know and did what is needed is a simple formula for managing compliance proactively.
4) Engage in Full Cooperation With Regulators
Coordinating, collaborating, and getting on good terms with regulators can reduce your risk of hefty fines. Of course, you don't need to provide more than is asked, but also don't provide less than was asked. A major factor in cases where companies receive a fine is failure to respond sufficiently to regulators. Often, Data Protection Authorities (DPAs) do not want to engage with companies directly to build a relationship, but to safeguard their independence.
The key is first, making sure you are taking the steps you need to take and documenting your efforts and activities, and second, cooperating. If you take these steps and put forth a diligent, concerted effort to comply with documentation and compliance reviews, the authorities will take good faith efforts into account and you can reduce your chances of incurring heavy fines for privacy violations.