"Romania, three GDPR fines, two European premieres", is the way we could synthesize the context in which our country finds itself, as we have seen in the past few days a GDPR lesson in three parts: the banking system, tourism and services. This is not a negative thing, on the contrary, it shows the courage of the Romanian Data Protection Authority to take paths that are still uncharted. If the fine applied to UniCredit Bank brings out attention, for the first time, on the principle of privacy by design, the second fine applied to the WTC was based on the principle of the operator's responsibility to implement and, above all, comply with the technical and organizational protection measures of the privacy of personal data. The last fine applied so far in Romania has been a surprise to all of us, especially because it targeted a legal consulting company, well-known for launching the first GDPR document kit in Romania. We have all realized that any of us can have a security breach, regardless of the field of activity or the level of professionalism.
Ana-Maria Udrişte, the founder of avocatoo.ro (the company fined by the Romanian DPA), accepted our invitation to give an interview exclusively for Dpo-NET.ro - Data Protection Officers Network, providing important information that will help us to remind ourselves that our responsibility extends to the actions of our employees or to the actions of our business partners.
Ana-Maria Udrişte is a lawyer specialized in business law and passionate about technology, and how to link the legal field and people who have no business with it, making it easier for them to access information through a simple and common language. She is the founder of the avocatoo.ro site, which aims to educate and literate society and thus help people develop, not only knowing their rights, but also how can they protect themselves. She has managed to explain the right in a language that is as accessible as possible and to offer online legal services by focusing on concrete solutions to visitors' specimens or dilemmas, not just on providing solutions. Since the GDPR has entered the scene, she has also explored this area. "I believe in this set of rules, I believe in technology and correct use of it, so that so far, I and the avocatoo.ro team have managed to put together a consistent set of articles and documents that attempt to elucidate the phenomenon. In short, we do not sell GDPR, but offer a starting point and understanding for people interested in this field, new for most, and constantly changing, "says Ana-Maria Udrişte for dpo-NET.ro.
It is a European premiere to fine a company that offers GDPR consultancy and implementation services and we are talking about your own company (avocatoo.ro) in this case. How was such a security breach possible and what steps did you take immediately after identifying it?
UA: When we migrated the site from one host to another, a WooCommerce plug-in was used to migrate an inactive database containing encrypted data about online transactions that targeted legal entities. In one of the back-up versions remained a partial version of this file - which did not even appear in online vulnerability testing. And the person who knew exactly where to look, because he went straight to the link, did the complaint. From the moment I was informed, which happened through the on-line chat on the site, by the person who made the complaint about this vulnerability, I secured everything in less than 10 minutes, fact confirmed even by that person in the conversation.
The Authority said that on February 1, 2019 the information was publicly available, and the issue was resolved immediately. However, although we requested additional information, including being provided in confidential form, we did not have access to them.
We immediately identified the document, made the internal analysis to decide whether or not to impose the notification of the authority and the persons involved, and given the public nature of the data, its volume, the transaction date and the possible risk, the risk that was practically non-existent, consequently.
Later on, we have redone the site from scratch, added a higher level of security through triple password and key usage, and the definition of much better-defined roles of access and changeability.
What were the steps of the investigation conducted by the Authority, that led to this fine? Did you also receive recommendations or corrective measures? Does it seem justified to apply these measures?
AU: Steps were simple and to the point. I received the request to provide the information via e-mail and I also responded by e-mail. No written procedure apart from the handing over the sanctioning report. I have not received any recommendations or corrective measures, nor have proposals, not even one mentioning of this issue ever.
If we look at the turnover of the company, the fine is 2.6%, which is much higher compared to the other two sanctions applied. At World Trade Center the fine would be about 0.2%, and at Unicredit Bank it hovers around the same value, according to publicly available information. We might say it seems a bit disproportionate, but I can also understand the authority's approach by being tougher with operators, to send out the message that "GDPR works at any level even in Romania."
In Romania, up until now, three fines have been applied for non-compliance with the GDPR, the Supervisory Authority conducting nearly 1,000 investigations in the first year and adopting a prevention-oriented attitude and order corrective measures. Do you think that fines have an important role in applying the GDPR? From practical experience, most Romanian operators are trying to comply with GDPR from responsibility or because the fear of fines? Is anyone thinking about the reputational risk?
UA: The fines do not solve this problem. Look at the competition rights, where the Council is very active and conducts information campaigns across the country.
From my point of view, and not only me, we need an information campaign from the authority and other digital or consumer organizations that protect consumers, so that a simple person or a commercial entity, can know what rights they have, what obligations, WHY is important and what steps to adopt.
It's not an established idea, but we are a nation that likes to take legal action, so the fines will only increase the number of disputes, and at the end we will only stick to the idea that " I will get away with it next time ."
Let's look at the Authority in the UK, Ireland, France, Belgium, The Netherlands, who issue guides, weekly recurring notes. In France, we have the fine applied to Sergic where the authority "begged" the company to comply. After almost one year, when the Authority saw that the company had done nothing of what they were told, applied the fine. Which is not the case with us, unfortunately.
New operators, in most cases, try to comply to tick an action on the list called "GDPR - to do". Reputational risk is passed on a third plan, not even secondary, as you might think at first glance.
After all, the industry has already been discussing for some time that there are indications that health data "stumbles" without control and no one says anything and no one is upset about it.
We received a fine of 2.6% of our net turnover (according to the information available on the website of the Ministry of Finance).
We have been told many times in the last few days that we should have gotten a warning, at most. We do not comment on the authority's decision, we respect it, no matter if it seems a big anunt or not.
The message from the Surpervisory Authority is extremely strong, stressing out that risk analysis and appropriate measures require increased attention from any operator. So we could say that identifying risks is one of the most important steps in achieving a high degree of GDPR compliance. However, if some of the operators fail to identify the breaches, how could they identify the risks?
UA: Here comes a person who has practical experience and can see beyond the papers. One issue that has been noted this year is that the person who supports the organization for implementation has to have a practical vision and see the business flow before the organization even thinks about it.
Practically you see what kind of data they are, where they come from, what happens to them, etc. And then working with the organization in detail, you can identify risks you might not have thought of. And I also think you need to imagine a practical scenario of possible scenarios, which often happens in the communications industry, for example .The idea is to be as detailed and unusual at first as you slowly get to something tangible that will surely apply.
Let's say Ionel delivers invoices in envelopes to the recipients. Perhaps Ionel stops to buy a pack of cigarettes and forgets to lock the car door. And somebody takes all the envelopes, thinking it's money. Or Ionel is angry because his wife did not answer his phone and throws the envelopes with promotional leaflets on a field, because he wants to go to the bar to drink a beer. And we have a risk and a possible breach. Would you have thought about it in the first place?
As we can see from the analysis of the first three cases in which the Romanian data operators were sanctioned, a fine imposed by the Supervisory Authority may also arise following the investigation initiated after the operator has filed the security breach notification. Do you think this will lower the incidence of security breach reports from operators?
UA: The reality tells us that most operators do not even know when a security breach should be notified or what it is. As I wrote at one point, a security breach can happen when writing an e-mail and because most e-mail programs automatically fill in a recipient, you might choose the wrong one.
But yes, I think this will considerably decrease the number of operators reporting. If, for example, and once again I draw a parallel to competition rights, the operator would benefit from a mitigating circumstance, clemency or immunity when notifying a breach, then we would find ourselves in a situation where there was a real interest from operators for doing so. If we do not like the parallel with competition rights, let's talk about how they fix things in aviation and why it has become one of the safest environments.
In the absence of such benefits, the majority will stand aside, on the idea that "it is possible that no one notifies the authority - why should I give myself away?" And then again it is a problem. The legislator or even the authority could have intervened and offered such solutions and thus increased the degree of cooperation, awareness and assumption. But who does notify knowing that they can be punished if doing so?
Let's also talk about the Cambridge Analytica and FTC scandal, where Facebook and the authority are in the negotiation phase of a deal, under certain conditions, to close the investigation. Okay, 5 billion dollars, but there could be more. We do not have such benefits.
You have a rich legal activity including the development of one of the most popular document kits for implementing GDPR principles, along with specialized consulting services. What do you think of operators who simply sum up the kit without investing in an in-house specialist or contacting an external specialist? How can we fight, as data protection specialists, against this phenomenon by which an operator attempts to formally obtain documents that prove compliance, in the absence of substantial changes in the way they operate?
AU: We have been constantly trying, especially through what we write on the blog, to provide as many examples and methods as possible, for identifying risks and how to get the right approach.
We have always said that the person who best knows how to implement it is the organization, especially at the level of small and medium-sized businesses, because the people who are daily in the business are usually those who founded the organization. And they are best able to know, at first hand, where the data comes from and where it goes.
We also went on a "as many examples and guidance as possible" approach to help you better identify data streams and possible risks. This is your first task as an organization, take a pen, and, with a series of documents, start to crunch what you think would apply to you and how you see things.
Later, after you consider finished this part, you should turn to a person who checks the documentation and finds out if there are things that somehow have been overlooked or how to handle the issues further. We have consistently offered, at no extra cost, assistance on this side. However, people write to us on social networks or email and ask us for certain information or revisions of documents, and we do it if we have the time. And sometimes we also write articles about situations we realize that could be of interest to several people.
But it is very important to choose the right person to help you in the implementation and to make you understand that the documentation is not enough, that is what I have always said: GDPR is a mix between legal, technical and organizational and involves both the rethinking of operational processes, as well as the implementation or adaptation of technical solutions that ultimately increase the trust of individuals in the organization and redistribute to all parties involved.
It's been one year since the GDPR is being applied and more than three years since it's been legislated. What were the challenges you faced as a data protection specialist? What has changed in this period and how do you see the evolution in Romania and at European level in the short and medium term?
AU: We look forward to the entry into force of GDPR at European level. At the macro level, we do not realize the importance of our personal data. For example, we use the phone to locate, reach a destination, transmit holiday pictures, share with others documents, information, albums, make appointments to various salons that we later save in our phones to calendar, to receive or send money, to listen to music, record what we eat, what time do we wake up, what friends we went out with.
Without realizing, if someone has access to your Google account at some point, let's say, basically it can see your whole life.
And it is not normal for these data:
(1) to be requested more detailed than necessary,
(2) not be protected,
(3) have no idea what happens to them once they are collected and stored.
Let's just consider that based on this information, you can make someone's profile without struggeling too much. Not to talk about the situations when you find out that you have a loan that you did not know about. You'll laugh, it may seem impossible, but it has happened before.
As I said, people are not aware of the importance of data until you provide them with examples as the ones above. Nor can we expect too much from a simple user of technology. To most people it might seem to be an utopia regulating the collection, storage and transmission of data. GDPR is not a boogie man or an extra reason to expand bureaucracy. And if some think of it as ticking a to-do list to be GDPR compliant, others are going to extremes and shut down their sites or no longer communicate data - as was my personal example when a private clinic did not want to give me, after a preliminary check, my patient ID to check my analyzes and I had to go 40km to get to the center.
It's not about that. First, we talk about awareness, then responsibility and assumption.
According to the report issued at European level by the European Commission, 73% of those concerned know their rights. But this is at the European level. At national level I tend to think that not even 15% know about GDPR, how and what it does, and what is personal data.
And fines will not solve this problem because it is about education and information. It's what we are trying to do on avocatoo.ro with GDPR solution packages. A fine will only make them say "well, I'll sign some documents, and that's it, anyway, the fines are a normal thing."
So, in short term, we will see that there will be several service providers who will offer you compliance with GDPR without you having to do much.
What tips can you offer to data protection specialists, this newly emerging profession, which probably faces the greatest professional challenges due to the general character of Regulation (EU) 2016/679 and the lack of unitary benchmarks on its interpretation and implementation?
UA: Read a lot, especially from the websites of foreign authorities that offer very good and applied information. Even press articles, specialist sites, can-can, hypothetical situations, this being a new and permanent domain, you need to be connected with the latest news so you know exactly what to be careful about and how to identify any problems that may arise.
In conclusion, what does an operator have to do in this case and what advice do you give to managers who have waited until now "something to happen" without undertaking any steps to get GDPR compliance?
UA: Operators should keep in mind that GDPR problem is not "who," but "when." Because no one escapes a security breach and sooner or later, you can have one, no matter how good you are. And the best option, if you have a security breach, is to minimize the risks. Let us be aware, therefore, that it is a real phenomenon and that it can happen for reasons that no one ever thought.
GDPR alignment is not a "signed paper", but involves operator accountability to all involved. He must first know what data he collects, where, what he does with them and who he sends them to. And to make his own preliminary audit, as best he can, and then turn to the help of people who, above all, understand his field of activity and with whom they can implement the necessary procedures from the operational, technical and legal point of view.