21 Feb How to be prepared for privacy dawn raids under the GDPR?
The streghtening of data protection authorities’ powers under the GDPR, together with the potential sanctions, make the need for companies to be ready to deal with privacy dawn raids crucial.
What are privacy dawn raids?
A dawn raid is a surprise visit from authorities at an office, a private residence or wherever they believe that evidence can be collected. The Italian Privacy Code already provided the possibility for the data protection authority to perform them, also stating that they can rely on the personnel of the tax police for their performance.
And indeed, privacy dawn raids have been quite frequent in Italy during the last years with the Italian data protection authority periodically publishing the sectors that they will target during the subsequent semester. But there are sectors which are always under their radar because of the large amount of personal data that are processed.
All of a sudden, the tax police comes with an officer from the data protection authority and an IT expert to the company’s office and requires to get immediate access to the documents relevant for the investigation, also performing a back up of IT systems and emails.
The reasons of a data protection dawn raid can be quite different. The authority might be targeting a sector, they might have received a complaint from individuals or have identified evidence against the compay as part of other investigation or operate following a court proceeding or information published on the media.
The golden rule for GDPR dawn raids
A complexity introduced by the GDPR is that, according to the principle of accountability, the investigated party needs to prove to have performed what it was meant to do in order to be compliant.
This is an essential change since it broadens the scope of a potential investigation and of the documents and filed that can be acquired. And the situation is made even more complicated in countries like Italy where the legal privilage is not a strong limit to investigations.
An internal exchange of emails among different departments or even with external counsels in some cases might be used to challenge a potential privacy breach. At the same time, the provision of incorrect information about the conduct of the company by employees that do not have a clear understanding of internal privacy policies and procedures can lead to investigations that can last years.
In order to avoid such risks, the golden rule is to have a clear internal procedure to deal with privacy related dawn raids which provides for the actions to be taken during the different stages of the investigation that include:
- Who shall be the primary contacts in each office of the company (e.g. not only the DPO, but also your privacy external counsel, but even a contact in each office) with specific instructions to also the receptionists on what to do;
- What escalation procedure shall be in place (e.g. the managing director and the head of legal shall be immediately informed);
- Who shall assist the officers from the data protection authority and the police (i.e. apart from the DPO, a technician shall be available to assist them in searches on your systems);
- Which data protection related documents shall be handled over to the data protection authority that shall be always up-to-date and ready for the inspection;
- How shall interviews be managed, providing a training to the personnel on what questions might be asked, on the need for instance to just respond to questions whose answer is known and to refer to internal policies and procedures, without providing their personal opinion.
Based on our experience, the human error is the main source of issues in dawn raids since employees provide inaccurate information just because they want to “feel important for a day…“.
Having a procedure that sets out the steps above is essential, but having a training on it is even more important. You may find interesting on the same topic, the article “Top 5 immediate actions to get ready for Italian privacy dawn raids” which sets principles that are applicable to any jurisdiction.
If you found the article interesting, please share it on your favourite social media and register to our newsletter. Also don’t forget to try Prisca our GDPR chatbot described HERE