You know that cleaning out the garage is a good idea. You would have more storage space and would even be able to put the car into the garage, which is better for security, for keeping it clean, and for ensuring an easy start on a frozen winter morning. Even if you don’t have a garage, you likely have an equivalent example such as a loft or that cupboard in the kitchen, yet somehow these tasks are often put off and rarely top of the “to do” list. Information governance often falls in this category; a great idea that struggles to make it to the top ahead of competing corporate priorities.
For both the garage and information governance, the issue is the creation of a compelling business case. For the garage, the arrival of a new car or a spate of car thefts in the area is enough to push this task to the front. For information governance, the business case might be that a company is enlightened enough to realize that its data is an under-utilized asset or it might be a question of time and effort being wasted in the struggle to find the information when needed. However, these positive drivers might not be enough. Sometimes you need to look at the risk if nothing is done.
In our view, building a strong business case for information governance will be a laconic combination of both the carrot and the stick. This blog will focus on the stick because that is often the hardest factor to spell out in clear terms. We will take you on a journey through the GDPR fines that have been levied since it came into force in May 2018, show how European regulators see information governance as an essential element of a companies’ data protection obligations, and give you the necessary background to prepare your business case.
Why address information governance now?
It is worth just pausing to ensure we are all talking about the same thing, so let’s define information governance. You can see Gartner’s definition here. For our purposes, we can talk in simpler terms and define information governance as “the people, processes, and technology involved in seeking to ensure the effective and efficient creation, storage, use, retention, and deletion of information.”
Now, let’s turn to the GDPR. The total of fines under the GDPR, since it came into force in May 2018, approaches €300m. The big fines usually relate to processing personal data without good reason or consent (e.g. Google - €50m), or for inadequate security leading to data breaches (e.g. British Airways - £20m). As a result, many organizations prioritize this type of work.
However, after a thorough trawl, we see a growing body of decisions where fines have been imposed by regulators for information governance failures. In our view, the top 5 reported “information governance” fines are:
- €15m Deutsche Wohnen (Berlin DPA) – set aside on procedural grounds
- €2.25m Carrefour (France)
- €290,000 HUF (Hungary)
- €250,000 Spartoo (France)
- €160,000 Taxa4x35 (Denmark)
GDPR fines, in detail
The largest fine is the Deutsche Wohnen matter. In 2017, the Berlin Data Protection Authority (DPA) investigated Deutsche Wohnen and found its data protection policies to be inadequate. Specifically, personal data was being stored without a necessary reason and some of it was being retained longer than necessary. In 2019, the DPA conducted a follow-up investigation and found these issues were not sufficiently remedied and thus issued a fine of €15m. The Berlin DPA explained that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods, as such solutions are commercially available.
In February 2021, Criminal Chamber 26 of the District Court of Berlin closed the proceedings on the basis the decision was invalid and not sufficiently substantiated. The Berlin DPA had not specified the acts by the management of the company that supposedly led to a violation of the GDPR. The Berlin DPA has announced it would ask the public prosecutor to file an appeal. It would be a mistake to interpret the nullification of the fine as evidence that information governance / data retention is not an important issue for DPAs. Such an interpretation would be ignoring that fact that there is no criticism as to the substance of the findings made by the Berlin DPA in relation to Deutsche Wohnen’s approach to data retention.
Holding data without necessary purpose or not actively deleting data has been a theme of fines by other DPAs as well. In Denmark, the Data Protection Authority recommended fines for similar inadequacies as follows:
- 1.2m DKK (€160,000) on Taxa4x35. A DPA inspection discovered that although customer names were deleted after 2 years, their telephone numbers remained for 5 (as a key field in the CRM database)
- 1.1m DKK (€150,000) on Arp-Hansen Hotel Group. Personal data was being stored longer than was necessary and in breach of Arp-Hansen’s own retention policies
- 1.5m DKK (€200,000) on ID Design. A routine DPA inspection revealed old customer data not being adequately deleted. Although, like Deutsche Wohnen, this fine was subsequently reduced on technical grounds, the commentary on the corporate information governance policies still holds.
In France, three fines have been imposed relating to the holding customer data well past what the regulators deemed necessary:
- In the Carrefour matter, there was a fine of €2.25m for various infringements including that Carrefour had retained the data of more than 28 million inactive customers, through its customer loyalty programme, for an excessive period.
- In SERGIC, there was a fine of €400,000 for various infringements including that SERGIC had stored the documents of unsuccessful rental candidates beyond the necessary time to achieve the purpose for which the data was collected and processed.
- In Spartoo, there was a fine of €250,000 for reasons including that Spartoo retained data for longer than was necessary for more than 3 million customers. In Spartoo, the regulators also called out that the company had not set up a retention period for customer and prospect data, did not regularly erase personal data, and retained names and passwords in a non-anonymised form for over 5 years.
Although the authorities in France and Denmark have been the most active, they are not alone. In Hungary, HUF was issued with a fine of approximately €290,000 based on the absence of a retention policy for a database containing personal data. And in Germany, Delivery Hero failed to delete accounts of former customers who had not been active on the company’s delivery service platform for years and was fined €195,000.
Other authorities may not yet have imposed fines, but their attention is turning in the direction of information governance. A number of DPAs have issued guidance, the scope of which includes data retention (e.g. the Irish DPA, in Sept 2020, on how long COVID contact details should be retained; the French DPA, in October 2020, on how long union-member files should be retained).
How to get started on your business case
There is a genuine threat to companies stalling in relation to information governance, particularly around personal data. The decisions to date represent a small percentage of the activity in this area, as many of the violations are dealt with by regulators directly. We don’t know what, if any, settlements have been agreed upon, but the decisions that we have located are helpful and instructive for building the business case for prioritizing this work.
The first thing to do is create an internal overview for why this area matters – use the above to show that there is risk and that regulators are paying attention. Hopefully, our overview will help you to identify the size of the stick. As to the carrot, that will be very company-specific, but our clients who have successfully made the case focus on the efficiency gains that can be made if information is properly governed as well as the opportunity to mine more effectively their own information for its real business value. Next, take a look at your policies and areas that may require adjustment based on the above in order to gain some insight into the scale of the activity. Now your business case should be taking shape. You might also consider looking wider than the GDPR, such as the increasing number of state data protection frameworks within the US.
We recognize this process is an oversimplification and each step requires a significant time investment by your organization, but spending time focusing on the necessity of retaining personal data, as well as the length of retention (and subsequent deletion), are critical elements in minimizing your risk. If you have any questions about how to proceed, or the decisions listed above, feel free to reach out to firstname.lastname@example.org.