Data protection

Turning a blind eye to data protection can end up costing millions

By:
Gregor Alaküla
insight featured image
Contents

Having data protection affairs in order at a company ensures reliable and trustworthy relations with businesspartners and a stronger position at the negotiating table. On the other hand, problems can mean fines running into the millions of euros even long after the issues are resolved.

Violations of the General Data Protection Regulation can lead to huge fines. “There is no maximum limit on the amount of fines, as fines can reach up to 4% of company’s turnover,” said Grant Thornton Baltic’s data protection specialist Indrek Keis on the Äripäev radio programme "Kasvukursil".

The expert noted that Amazon was recently fined excess of 700 million euros for data protection shortcomings and data protection authorities in Ireland slapped WhatsApp with a fine excessive of 200 million euros. “These would be vast sums in Estonia,” he noted.

Possible harm to business relationships

Data protection is also important when establishing new business relationships. “Just like banks must know their customers, companies have to know their partners,” said Keis. “Before starting a partnership with someone, any company wants to be sure that the partner will use the data on their customers or employees responsibly, in line with the regulation.”

He said that some prospective partners might even conduct an audit of each other for assurance. “If the audit turns up problems, that shortcoming will amount to a loss of negotiation ground,“ said Keis. He said the problem can be resolved by outsourcing data protection specialist service. “Although violation must always be eliminated, if the partnership has not begun yet, a partner might opt to choose someone else instead,” Keis said.

A warning sign for investors

Keis acknowledges that deficient data protection is often the reason investors get cold feet. “If the product in question is software or an application and decisions about the architecture have been made in a way that doesn’t support data protection, preventing data from being deleted or access from being limited as needed pursuant to the rules, that limits scalability and the entail greater compliance,” he said. “In such a case, it may be difficult to get investors to put capital into the company.“

Investors are also sensitive about companies with large customer bases. “No doubt many of us have received emails that ask you to confirm that you agree with processing of data by the sender – that’s actually a sign of a company not being certain whether the customer database is in line with the rules and they are trying to get your permission for further use of your data,” said Keis. “In the case of some customer databases, there is a risk that they cannot be used because the advertising department has not gathered the data properly, and this is a warning sign for investors.”

Putting firm rules in place

Every company should also be sure whether they have the right to retain certain data at a given point in time. “Essentially, nothing may be retained unless there is a need for it,” he stressed. “It also translates to extra risks for the company,” he said, alluding to possible data leaks. For example, if a person no longer wants to be emailed advertising offers, their email address should not be retained after the person has unsubscribed. Furthermore, many types of data have to be stored encrypted. "Examples are health data in the medical field, and in the financial sector, data on creditworthiness,” said Keis, listing examples.

It should also be possible to designate who has access to the data. “Access must not be granted to people who will not use the data for the purpose for which they were collected,” said Keis, bringing up the example of the positive credit register being set up by the government in Estonia.

Burden of proof lies with the one protecting the data

Keis says every company must take responsibility themselves for both avoiding fines and gaining the trust of partners. “A leak doesn’t always result in a fine; rather, it depends on whether there was negligence. If the company can demonstrate that it did made all reasonable efforts to prevent a cyber attack, there need not be a penalty.“

Business partners also expect a partnering company to prove at every step that it did everything correctly. “For any transaction, the business should be able to show that everything is in order. If there is a large customer base, they should show that these data were collected lawfully,” Keis emphasized.