PwC offered cybersecurity services and ended up being fined $170k USD for data privacy issues

The data protection regulator in Greece has reported that the leading consultancy PriceWaterhouseCoopers (PwC) will be fined $170k USD for violations of Article 83 of the European Union’s General Data Protection Regulation (GDPR), data protection specialists report. Data protection authorities in Greece also imposed some corrective measures that must be implemented by the company to comply with European data law.

European community data legislation lays down the regulatory bases to which any organization that operates on personal data must submit to control this information. While the consent of the data subjects is one of these bases, it is not the only one, so the way to control PwC’s personal data was inappropriate, according to the opinion of the Greek data protection authority.

The company processed this information in the course of its business activities without employees being informed about it. The authorities determined that this way of working with personal information violates the principles of fairness and transparency set out in the GDPR.

The company also has accountability issues, as it failed to demonstrate adequate compliance with the GDPR and transferred the burden to data subjects, an inappropriate procedure as set out in the regulations, mentioned by data protection specialists. Therefore, the Greek company was fined and now has a three-month deadline to comply with the taxes established by the authorities.

This is the first time that one of the 4 greatest consultants in the world receives a fine for non-compliance with the GDPR. The irony of this issue is that PcW is one of the companies that had the most work a couple of years ago advising multiple companies to comply with European data legislation. “It’s really amazing that this company is generating so many revenue from GDPR-related services and now it turns out that it has violated an article of this legislation,” data protection experts said.

This is a sign that any company that controls personal data could default to GDPR, regardless of whether they are small companies or large companies. Another well-known case is that of Google, although in this case the fine was much higher, reaching 5 billion dollars. In the case of PwC, the data regulator in Greece stated that “this amount has been established as an effective, proportionate and deterrent method”, in other words, the strictly provisions of European data regulation have not been used. 

However, this does not mean that this decision is an irrelevant fact; according to data protection specialists from the International Institute of Cyber Security (IICS), this fine could trigger a number of similar measures, as many companies have contracted PwC’s advice to comply with the European data; a bad computer security practice at PwC could replicate in many other companies, increasing this problem of non-compliance.

To the company’s fortune, its reputation in the field of data security has not suffered irreversible damage; PwC executives can still demonstrate to data regulators that they are able to implement the measures recommended by the Greek government, so more than a big fiasco, this is a great opportunity to learn.