PwC fined €150,000 by Hellenic Data Protection Authority

A good reputation is hard-won but easy to lose. PwC, which ranks as the second-largest professional services firm in the world, will no doubt be reflecting on that overworked saying, following the news that it has been fined for failing to comply with the General Data Protection Regulation (GDPR).

According to PrivSec Report, the GDPR fine was in response to a complaint following which the Hellenic Data Protection Authority (DPA) conducted an ex officio investigation into the lawfulness of the processing of personal data of employees working at PwC. According to the complaint, employees were required to give consent to the processing of their personal data.

Following the investigation, the Hellenic DPA concluded that PWC BS as the controller had unlawfully processed the personal data of its employees “contrary to the provisions of Article 5(1)(a) incident (a) of the GDPR since it used an inappropriate legal basis.”

False Impression

PrivSec reports that PwC unfairly and non-transparently processed the personal data of its employees, by giving them the false impression that their data was being processed under the legal basis of consent, in accordance to GDPR, whilst in reality their data was being processed under a different legal basis, to which the employees had not been informed about.

Hellenic DPA also decided that though PwC was responsible in its capacity as a controller, “it was not able to demonstrate compliance with Article 5(1) of the GDPR”, and had violated the principle of accountability laid out in Article 5(2) of the GDPR “by transferring the burden of proof of compliance to the data subjects”.
As a result The Hellenic DPA have imposed a fine, in accordance with Article 83 of GDPR, amounting to €150,000.

Put Your Own House In order

The fine in itself, of course, is just small change. The reputational damage, however, is vast. How do you explain to your clients that you are a GDPR subject matter expert when you can’t even put your own house in order?
I imagine there must be red faces all round at PwC HQ but putting aside any sense of schadenfreude – not that I would allow myself to indulge in such feelings, of course! – the GDPR ruling is a salutary lesson for all CIOs, COOs and their senior leadership teams.

The lesson is two-fold. First, companies need to thoroughly review their own internal procedures and approaches to data protection. Secondly, they may need to review their assumptions that the so-called big four consultancy firms have all the answers. They don’t and indeed the sheer scale and global reach of a business that is operating across multiple jurisdictions – probably more than 100 – means it is increasingly a challenge for them to conduct their own internal due diligence let alone audit whether clients’ data controls are fit for purpose.

Time Surely Running Out

The E.U. data regulators have been lenient to date, but its patience is running out as BA, and Marriott hotels can both attest and their patience is likely to wear even thinner as we approach the 2nd anniversary of GDPR’s enforcement.

A 2019 Ovum report found that two-thirds of businesses expected to have to change their global business strategies to accommodate the new data privacy regulations while over half of companies surveyed anticipated fines for non-compliance. That is an extraordinary statistic. Are those 50% of firms really willing to accept leaving money on the table when it is so unnecessary?

Yet, according to the International Association of Privacy Professionals (IAPP), Fortune 500 firms are spending $7.8 billion on GDPR compliance to avoid the threat of severe sanctions from EU member state regulators. The GDPR budget for the average Fortune 500 company is $16 million, the report found.

Despite the massive preparation, the IAPP survey found there is still a long road ahead. Less than half of respondents said they are fully compliant with GDPR and one in five said they believe that full compliance is impossible to measure. This is patently untrue.

Firms must act now to ensure their compliance, activate their response plans and make sure they’re not exposed before it’s too late. Contact us by calling +44 (0)20 7193 1966 or by emailing info@fifthstep.com.