Legal Session #2: Data Protection Regulation
A few weeks ago, the second closed-door session was held for the Alice community together with the boutique law firm ATH21, in which Marina Fontcuberta, Senior Associate, answered questions regarding data protection, current regulations and how to comply with them in the different processes of the company;
“We’ve all heard the typical phrase ‘Data is the gold of the 21st century’, and it is. Many companies do not apply data protection regulations on a day-to-day basis, for example to create new business models or to launch marketing campaigns, and that is a mistake,” says Fontcuberta. Especially when the company’s activity is aimed at analysing data and user behaviour, information used to refine those activities.
The importance of the General Data Protection Regulation (GDPR)
In a world where everything is connected and digitised, from our financial transactions to our social media conversations, personal and business information has become an invaluable resource. Data drives business operations, marketing, decision-making and innovation.
Data collection and analysis are common practices in almost every business. From small local shops to tech giants, all are looking to extract valuable insights from data to better understand their customers and improve their products and services.
However, with the vast amount of data in circulation, significant risks also arise. Cyber criminals are constantly on the prowl, trying to access sensitive information and use it for malicious purposes, such as identity theft or financial fraud. That is why data protection has become a top priority.
In addition to security risks, Marina emphasises the importance of individuals’ privacy. Personal data, such as names, addresses and telephone numbers, is sensitive information that must be handled with care. Data protection laws are designed to ensure that this information is used ethically and lawfully.
Marina also addresses a crucial aspect: customer trust. When customers trust that their data is safe and that a company treats it with respect, they are more likely to continue to do business with that company. On the other hand, if an organisation fails to adequately protect customer data and a security breach occurs, it can lose customer trust, which can have devastating consequences for its reputation and profitability.
Recent changes to the Data Protection Act
Data protection is constantly evolving. As technology advances and cyber threats become more sophisticated, regulations must adapt to better protect people’s data and privacy.
In May 2023, a change in data protection legislation focused on data breach notification was brought about by a ruling of the Court of Justice of the European Union. One of the main novelties introduced by the GDPR was the possibility of compensating data subjects when their right to privacy was considered to have been violated. Now, with the amendment introduced in May, it establishes that, in order for actual damage to be established, it must be proven.
What happens if Data Protection is not complied with?
Many organisations underestimate the importance of data protection and assume that they can neglect certain aspects without serious consequences. However, non-compliance with data protection regulations can have a high reputational cost.
Fontcuberta presented three cases of leading companies that have suffered significant reputational damage due to data breaches. One of them is the case of Facebook and the security breach with Cambridge Analytica, a data breach that resulted in significant fines and undermined users’ trust in the platform. As a consequence, a decline in usage and a loss of market value was seen.
Another case is that of the company Madison, which suffered a security breach that exposed the private information of its users. The consequence was the company’s bankruptcy and a massive loss of confidence on the part of its customers.
The latest case is that of Equifax, a credit reporting company that suffered multiple security breaches related to its delinquency databases. These incidents had a devastating impact on the company’s reputation and on customers’ perception of the security of their personal data.
Fines and penalties for data protection breaches
Data protection regulators have the power to impose significant fines and penalties on organisations that do not comply with the regulations. Such fines can vary in amount depending on the seriousness of the breach, but in severe cases, they can reach astronomical figures.
However, fines are not the only consequence of data breaches. Organisations may face additional sanctions such as the obligation to inform data subjects affected by the breach, which can lead to loss of customer trust and reputational damage. In addition, it is important to cooperate with regulatory authorities in case of a data breach, as failure to cooperate may result in more severe fines;
This Legal Session Alice Biometrics and ATH21, provided a comprehensive view on the importance of complying with data protection regulations. Compliance is necessary from a legal point of view, but also as an investment in security, to increase customer confidence and avoid reputational losses. In a constantly evolving environment, data protection must be a top priority for all organisations.