2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.
Infringement of this regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. It is therefore perhaps unsurprising that companies are now examining their data with a fine tooth comb in order to stay on the right side of the legislation. However, in spite of this exigency, to date, only 29% of organizations have implemented all measures necessary to comply with the GDPR.
The first infringement complaints came on May 25, as soon as it came into force, when the nonprofit organization noyb.eu presented four complaints against Facebook, Instagram, WhatsApp, and Android. Noyb argues that these companies forced their users to accept their new service terms, something that violates the GDPR’s requirement that this consent be given freely. Nevertheless, these cases are ongoing, and as such, we still have some time before we see the outcome.
In October, Giovanni Buttarelli, the European Data Protection Supervisor, said that he expected to see the first sanctions before the end of the year. And sure enough, he didn’t have to wait very long.
Sanctions start to appear
The first fine was issued in Austria at the start of October, and although it is not strictly related to personal data processing, it is a good illustration of the reach that the regulation can have. A betting shop received a €4,800 fine for a security camera that was recording part of the pavement outside, since large scale monitoring of public spaces is not permitted under the GDPR.
At the end of the same month, we saw the first fine related to the processing and storage of personal data. The Comissão Nacional de Protecção de Dados (National Data Protection Commission) in Portugal imposed three fines on the Hospital do Barreiro: two €150,000 sanctions and another of €100,000. As such, this set of sanctions has meant a total cost of €400,000 for the hospital. The first two fines of €150,000 were for violation of the principle of data integrity and confidentiality, and violation of the principle of data minimization, which in theory prevents indiscriminate access to data. 985 physicians had active accounts on the system giving them access to clinical files, while the hospital had only 296 active doctors on the date of the inspection.
The third fine was related to the inability of the Hospital as data controller to ensure the confidentiality and integrity of the data of its clients and patients.
The most recent fine was issued in Germany in the middle of November. A German social network, Knuddels.de, received a €20,000 fine after a hack that caused 808,000 email addresses to be leaked, along with over 1.8 million usernames and passwords. This information was then published online with no encryption.
The social network reacted by saying that once the leak had been discovered, it immediately improved its security measures. After the incident, it was discovered that the website had no kind of protection on its sensitive information.
According to LfDI Baden-Württemberg, the German data protection agency responsible for handling this case, one of the reasons that the website received a “relatively low” fine was that it acted with transparency, and quickly implemented security improvements.
2019 will bring new figures
The economic sanctions that we have seen so far are clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear.
What can you do to avoid a fine – be it millions of Euros or more moderate? The most important thing to bear in mind is that prevention is better than a cure, and by having appropriate protection for the personal data that your company manages, you can avoid sanctions. Start by knowing exactly where this data is stored and who has access to it. To do so, it is vital to have advanced cybersecurity solutions.
Panda Data Control is a module of Panda Adaptive Defense that is specifically designed to help comply with data protection regulations. Discover, audit and monitor all unstructured personal data on your company’s corporate network. Only this way will you know where your company’s data is stored, who is handling it, and what actions they are performing on it.