Share This Article
The strengthening of data protection authorities’ powers under the GDPR, together with the potential sanctions, makes the need for companies to be ready to deal with privacy dawn raids crucial.
What are privacy dawn raids?
A privacy dawn raid is a surprise visit from authorities at an office, a private residence or wherever they believe that evidence can be collected. The Italian Privacy Code already provided the possibility for the data protection authority to perform them, also stating that they can rely on the personnel of the tax police for their performance.
And indeed, privacy dawn raids have been quite frequent in Italy during the last years withย the Italian data protection authority periodically publishing the sectors that they will target during the subsequent semester. But there are sectors which are always under their radar because of the large amount of personal data that are processed.
All of a sudden, the tax police comes with an officer from the data protection authority and an IT expert to the company’s office and requires to get immediate access to the documents relevant for the investigation, also performing a back up of IT systems and emails.
The reasons for a data protection dawn raid can be quite different. The authority might be targeting a sector. They might have received a complaint from individuals or have identified evidence against the company as part of other investigation or operate following a court proceeding or information published on the media.
The golden rule for GDPR dawn raids
A complexity introduced by the GDPR is that, according to the principle of accountability, the investigated party needs to prove to have performed what it was meant to do to be compliant.
It is a crucial change since it broadens the scope of a potential investigation and the documents and files that can be acquired. And the situation is made even more complicated in countries like Italy where the legal privilege is not a considerable limit to investigations.
Internal exchanges of emails among different departments or even with external counsels in some cases might be used to challenge a potential privacy breach. At the same time, the provision of incorrect information about the conduct of the company by employees that do not have a clear understanding of internal privacy policies and procedures can lead to investigations that can last years.
The golden rule is to have a clear internal procedure to deal with privacy-related dawn raids which provide for the actions to be taken during the different stages of the investigation that include:
- Who shall be the primary contacts in each office of the company (e.g., not only the DPO, but also your external privacy counsel, but even contact in each office) with specific instructions to too the receptionists on what to do;
- What escalation procedure shall be in place (e.g., the managing director and the head of legal shall be immediately informed);
- Who shall assist the officers from the data protection authority and the police (i.e., apart from the DPO, a technician shall be available to assist them in searches on your systems);
- Which data protection related documents shall be handed over to the data protection authority that shall always be up-to-date and ready for the inspection; and
- How interviews shall be managed, providing training to the personnel on what questions are likely, on the need, for instance, to respond to questions whose answer is known and to refer to internal policies and procedures, without providing their personal opinion.
Based on our experience, human error is the primary source of issues in dawn raids since employees provide inaccurate information just because they want to “feel important for a day…“.
Having a procedure that sets out the steps above is essential, but having training on it is even more critical. You may find interesting on the same topic, the article “Top 5 immediate actions to get ready for Italian privacy dawn raids” which sets principles that apply to any jurisdiction and the video below as part of my video blog “Diritto al Digitale”