DPA corrective measures: It’s not all about the fine

Last November I moderated a panel at the Privacy + Security Academy Forum on the implications of non-financial sanctions being issued by data protection authorities under the GDPR.

The panel, which included Cian O’Brien, of the Irish DPC, led to a fascinating discussion. The one issue that drew most attention and input from the panellists and audience alike was how organisations should consider the impact of potential corrective measures being issued at the conclusion of an inquiry and the impact it would have on their business model and/or operations.

So when I read the Irish DPC’s press release last week announcing the conclusion of two inquiries into Meta Ireland, unlike many others – who have focused on either the fines issued, which at a total €390 million are certainly material, or on the seeming disagreement between the position taken by the Irish DPC on Meta’s position and that taken by ten other EU DPAs and the European Data Protection Board – what grabbed me was the fact that the DPC has also directed Meta Ireland to bring its data processing operations into compliance within a period of three months. 

That seems like a very short time to change business processes, especially for an organisation with multiple platforms and a massive number of individual users who are affected by the decision. For a case that was opened on the very day the GDPR came into effect, 25 May 2018, and which has dragged on for over four and half years, three months seems like the blink of an eye. Failure to remedy in the time required will lead to further sanctions, likely a fine, which would be painful. It could also lead to a stop processing notice, which could be fatal to Meta’s current business model in Europe.

For the well-advised a very short remediation timeline should come not as shock. My clients are told early in any investigative process to begin planning for the various potential outcomes, making sure that they have plans and processes in place to facilitate the swift implementation of required steps.

In some instances, organisations may choose to implement change, in part or in full, during the investigation. Such steps are likely to be taken into account by the DPAs when making their final decision on appropriate sanctions. From a commercial perspective, the organisation must accept that such planning may incur wasted management time and sunk costs if not eventually needed, but the impact on the organisation of not meeting the deadline and being exposed to further regulatory sanction and the associated media coverage could have a far more detrimental impact on the business.

So, much like life, it appears that in responding to DPA corrective measures, timing is (almost) everything…