Privacy pros are now celebrating the three-year anniversary of the GDPR, even as we are living through the current pandemic. It is, in fact, almost impossible to talk about privacy trends without touching on the COVID-19 crisis.
Seemingly overnight, the world turned digital. What first appeared as novel technology used by geeks became the norm in 2020, bringing forth a plethora of issues for companies to tackle. Although those issues are not new, their volume and severity in the current circumstances are breathtaking. Let us look at some of the most important ones, eventually merging them into a single interconnected topic.
What does it mean to be online? The world as we knew it before the crisis relied heavily on personal contacts – customers could verify that a service provider was real and the provider communicated with known customers (presenting his/her ID, and a real face). Although many businesses used electronic communications to further customer relationships in the past, today many of them do not even see their customers in person at all. This creates extreme pressure on the trustworthiness of modern communication, identification, and authentication tools.
The use of digital IDs in the Czech Republic by citizens has been limited. What could be a game-changing experience is the introduction of the “BankID” – an initiative of Czech banks that provides identification and allows other governmental authorities or certification entities to authenticate and conclude agreements within the eIDAS regulatory framework. (We are glad to say that our law firm advised the banks on the implementation of the BankID system, as well as contributing to the drafting of legislation underpinning it). And who else is in a better position to guarantee the security of the whole process than banks, which are the traditional guardians of secrecy and discretion, with strong internal compliance mechanisms?
On the other hand, banks are just a part of the wider economy, and the use of digital tools has expanded across all sectors during the pandemic. And here comes the twist – every technology has its weaknesses, and as Murphy’s law puts it, “Anything that can go wrong will go wrong.” Cybersecurity experts will add that it is not a question of “if,” things will go wrong, but “when.” Not one week passes without the world media reporting news about cyber-attacks, whether it’s hackers causing malfunctions in vital infrastructure systems or just ordinary businesses unable to operate for a few days. It’s like a continuous earthquake and rising flood moving around, never stopping. And statistics from the Czech Data Protection Office (DPA), which receives personal data breach notifications, show that this trend is not staying away from the Czech Republic. What is, however, more alarming (and possibly also promising), are the causes of these data breaches. Most of them happened because of human error, technical misconfigurations, and a failure to audit security measures regularly. In other words, those data breaches were probably not inevitable and could have been avoided if an internal level of compliance had been sufficiently maintained.
Another risk of going digital without properly assessing the legal constraints involves direct marketing, which can of course be a very effective method of reaching out to customers – almost the only one if you cannot meet people in brick-and-mortar shops. In 2020, in a groundbreaking case, the DPA imposed the previously inconceivable penalty of CZK 6 million on a company for sending unsolicited commercial communication. The DPA’s message was clear – disobeying the rules will not pay off, and penalties will be set to diminish any profits the sender may have obtained. And the takeaway for any business is that any department, whether responsible for marketing or customer care, must be aware of the risks that even well-intentioned actions can have.
This brings us back to the inter-connecting theme: a workable compliance system with regular audits, preventive checks, systematic training, and independent oversight. Only this will contribute to promoting the security and trust of the online world we have all suddenly learned to live in. Anything else is just sitting and waiting for the next disaster to strike.
By Robert Nespurek, Partner, and Richard Otevrel, Counsel, Havel & Partners