Article Six: The highest risk of GDPR fines
Data breaches are big news. They come with a major hit to the trust customers have with a business, and even parts of the world that don't have data privacy laws will often have some form of data breach law. It might be surprising though, for those focused on GDPR, that data breaches don't account for the greatest number, and greatest monetary value, of GDPR fines.
When looking at the history of fines imposed by EU member states, it is clear that the top spot goes to Article 6 violations, otherwise known as "insufficient legal basis for data processing."
What is lawfulness or legal basis of processing?
Legal or lawful basis for processing is how, or more importantly if, you have the right to collect and process data about an individual. The GDPR and its member states have a set of guidelines that cover what they consider to be a legal basis. Adhering to these guidelines is how you demonstrate the lawfulness of processing.
The best way to get started is to look at the six criteria that the GDPR outlines. They are:
Has the person given consent to have their data processed for a specific purpose? This is the most common approved way to meet a lawful basis. In this case, you explicitly ask for permission and receive permission from the person to collect and process their data.
In order to complete the contract you have with the person, is it necessary to collect their personal data? For these instances there is likely a consent component, but this requirement allows for edge cases that may not apply when unique contracts for services are made. If you can show that you needed to process the data to complete the task in your contract, you are meeting the legal basis.
Is it necessary to collect their data in order to meet a legal obligation or to be in compliance with a law or regulation? In instances where the law in an area requires you to process data in order to complete a task, you can use the legal obligation criteria. For example, banks may be required to obtain tax identification numbers before opening business accounts. While other information they collect may require consent, the government requirement of the tax ID does not.
Is it necessary to collect their data in order to protect their life or safety? This basis often applies to healthcare organizations that need to collect personal information, such as biometric data, but cannot receive consent from the individual. Most organizations will not be able to use vital interest as to meet the lawful basis requirement.
Is it in the public's interest for you to collect data from the individual? As with vital interest, most organizations will not use public interest as their lawful basis. Instead, it applies to instances where the public good requires the collection of personal data. This could be related to public health crisis, law enforcement, or legal proceedings. One exception is organizations that act on behalf of the public, like universities or government contractors.
Can you prove a legitimate need for processing the data? Legitimate interest is the gray area that many teams struggle with. Legitimate interest is any processing necessary for the purposes intended by the controller or third party, as long as it doesn't infringe on the fundamental rights or freedoms of the person.
Why so many companies are fined?
According to statistics collected by GDPR Enforcement Tracker, since the very first month of GDPR fines in July 2018 there has been over €166,000,000 imposed for Article 6 violations. That is over 237 fines as of spring 2021. The organizations fined range from larger companies like Google and British Airways, all the way down to regional e-commerce and energy companies. The way to avoid this is by demonstrating a legal basis for data processing.
Avoiding the risk GDPR non-compliance
Data breaches are inevitable. You can do your best to mitigate them, but all good security teams know that they still need to plan for the day something is compromised. Legal basis for processing fines are completely avoidable by asking yourself a few key questions:
- Do we need to process this data?
- Is there a lawful basis, such as public or vital interest, that allows us to process this data?
- If not, have we asked for consent to do so?
- If not, do we have a legitimate interest that we can demonstrate and prove?
If you are acting in the best interest of your customers and practicing privacy by design, your risk of fines is incredibly low. You can further prevent slip-ups by bringing privacy practices directly into your software development workflow.