The corporate world has gotten a shock of its recently when the data protection enforcement body of Greece has imposed a fine on one of the Big 4. PwC’s Greek holdings, “PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA”, has received a fine under Article 83 of the GDPR amounting to 150 000 EUR.
In addition, the Hellenic DPA has also imposed corrective measures on the organization to be complied with under the European Regulation.
Why was PwC fined?
The GDPR clearly establishes legal bases, under which personal data may be processed by controllers. Consent is one such basis, but it’s not the only one. And PwC’s choice of consent as a legal basis for processing personal data of its employees was not appropriate, the DPA found.
The data was processed in the course of the company’s commercial activities, and the employees were not informed about that. That kind of approach was found to be in violation of the GDPR’s fairness and transparency principles.
The accountability principle was also not complied with since the company failed to demonstrate appropriate compliance and transferred the burden to data subjects. As PwC was in this case a controller of personal data, such transfer was inappropriate.
The Greek company was therefore fined and given a deadline of three months to take certain measures to become compliant.
What does it mean?
The Greek representative of PwC is the first of the “Big 4” to be fined under the GDPR. Moreover, it’s the first consultancy that has actually helped many of its clients with GDPR compliance over the last year. It seems astounding that a company of PwC’s size and reputation that’s making a lot of money on giving advice on the GDPR has been burned by the very fire they help clients to avoid on a daily basis.
And yet, it serves as a good reminder that no company located in, or catering to, the EU, is exempt from having to comply with the GDPR. As the Google precedent shows, even the most influential players of an industry aren’t immune. The €150k that PwC must pay is, of course, no match to the $5bn fine imposed on the tech giant.
For one thing, it’s less than 0.5% of the Greek company’s annual turnover, which is not exactly in line with the GDPR’s guidelines. That fine was, according to the DPA, “an effective, proportionate and dissuasive sanction”. So, in the grand scheme of the changing paradigm of approach to privacy, it’s not that much at all.
The decision of the Greek regulator isn’t an insignificant one, however. PwC is a market leader in GDPR support, not least because of its global network. A lot of clients all over Europe have trusted the company to bring their policies and approaches in line with the law in the last year. It wouldn’t be a stretch at all for those companies to be shaken by the fact that the consultancy itself has proven to be vulnerable in relation to its employees, and to even lose trust in the auditor.
After all, goodwill and reputation are invaluable assets in any market today. And with the GDPR violations being such highly publicized cases in today’s world where privacy and data protection are very prevalent issues, it would be expected that PwC would need to do a lot of damage control to save face. With DPaaS and DRaaS companies appearing all over the market today, it could be the end of the Big 4 and large law firms’ monopoly on complex legal and compliance issues.
That’s not to say, though, that PwC’s reputation in the data privacy field is damaged forever. If the consultancy’s other branches take note of what the Hellenic DPA has told them and take measures to reassure their clients that they have learned their lesson and are ready to use it to better business advisors, it could very well be an opportunity rather than a failure.
And given the launch of its legaltech accelerator, perhaps we could soon see a partnership between the auditor and a DPaaS start-up that would deliver privacy solutions that actually work and are compliant with the GDPR.