GDPR – One Year Later…

The penalty for failure to comply with the General Data Protection Regulation (GDPR) is up to $22 million or 4% of annual global turnover (whichever is greater). By now most organizations around the globe know that regardless of where they are based, this regulation affects them if they are doing business with EU citizens. Aside from having a responsibility to properly handling personal data, that amount of money can really hurt your business. For example, under the Data Protection Act of 1998, Facebook was fined £500,000 (US $650,337) for the Cambridge Analytica scandal – if this had happened 8 months later that number would have been around $1.7 billion.

In this article, I will outline which organizations have already been affected, why they were fined, how much it cost them, and how they could have avoided it using StealthAUDIT.

What Companies Have Been Fined Under GDPR So Far?

October 2018 First GDPR Fine Issued by Austrian Data Protection Regulator

Four months after the introduction of the GDPR, the Austrian Data Protection Authority (DSB) has issued its first fine after stating that the DSB will at first enforce only remedial powers for first-time infringers. As such, this first fine of EUR 4,800 was delivered to an entrepreneur who was found to be in contempt of GDPR for installing a CCTV camera in front of their establishment which also recorded a large part of the sidewalk. The DSB had found this to be in violation of the GDPR, as the large-scale monitoring of public spaces is forbidden under the GDPR. Since this CCTV camera was also not appropriately marked as conducting video surveillance, the applicable transparency obligations had not been fulfilled.

While the sum of the fine was moderate, the precedent of what a data protection regulator can find a company in violation of the GDPR for is significant.

How could they have prevented this?

Knowledge. There is no substitution for having a qualified data protection officer who is aware of potential GDPR infractions. This small fine is just scratching the surface when it comes to areas an organization will need to be aware of, hire qualified people or pay the price.

November 2018 – German Chat Site Faces Fine Under GDPR After Data Breach

Germany’s first fine under the GDPR was enforced on the chat site called Knuddels.de, one of Germany’s largest chat platforms. The data protection watchdog Baden-Württemberg discovered that 1.87 million username/password combinations and over 800,000 e-mail addresses were dumped on Mega.nz and Pastebin.com. Knuddels.de was fined €20,000 following the breach which affected 330,000 users, including their passwords and e-mail addresses.

How could they have prevented this?

The probe showed that the site was storing the passwords in plain text, which is what justified the fine. Using data security software like StealthAUDIT which has the capability to detect plain text passwords, weak passwords and much more – Knuddels.de would have been well aware of this vulnerability.

“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a),” reads the statement by the data protection authority. The provision concerned of the European Union’s General Data Protection Regulation(GDPR) covers “the pseudonymization and encryption of personal data”.

December 2018 – Portuguese Hospital Staff Use Bogus Accounts to Access Patient Records

In July of 2018, the Portuguese Supervisory Authority (CNPD) fined a hospital for €400,000 under the GDPR.

According to reports, the CNPD investigated the hospital and found that the hospital’s staff, psychologists, dietitians, and other professionals had access to sensitive patient data through fake profiles.

The hospital’s profile management system revealed that although the hospital only had 296 doctors, there were 985 registered doctor profiles. To make matters worse, all doctors had unrestricted access to all patient files without regard for the doctor’s specialty. The hospital countered that it was using the IT system provided to public hospitals from the Portuguese Health Ministry to no avail – the CNPD ruled that it is the hospital’s responsibility to make sure that whatever IT system it uses complies with GDPR standards.

How could they have prevented this?

There are several ways this hospital could have prevented this issue beginning with a data access governance plan. Managing your users and accounts can be daunting especially with the added pressure of the GDPR compliance regulations. With the proper user management system in place, this hospital could have easily remediated unnecessary access and removed the extra accounts ultimately avoiding this fine and protecting its patients.

January, 2019 – Google is Fined €50,000,000 by France’s Data Regulator

The first complaint under the EU’s new GDPR regulation was filed against Google the very same day that the legislation took effect on May 25th, 2018 and by January of 2019, Google was facing a 50 million Euro fine which is the largest fine to date.

Google has been fined by France’s data regulator, having been cited for a lack of transparency and consent in the use of advertising personalization, including a pre-checked option to personalize ads. The regulator claims it judged that individuals were “not sufficiently informed” as to how Google was collecting its data to personalize advertising.

How could they have prevented this?

1. Transparency

• The French regulator said that Google hadn’t received clear consent from individuals to process data since “essential information” was “disseminated across several documents”.
• “The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” said the regulator.
• “Users are not able to fully understand the extent of the processing operations carried about by Google.”

Link to CNIL’s article

2. Proper consent

The regulator also found that Google had failed to obtain an actual legal basis for processing user data.

• “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent”
• Furthermore, it said that the option to choose to personalize ads was “pre-ticked” when creating an account which does not fall in line with GDPR standards.
  • “The user gives his or her consent in full, for all the processing operations purposes carried about by Google based on this consent (ads personalization, speech recognition, etc)
  • “However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”
• Dedicated legal resources
• Many large companies are hiring dedicated legal resources to address the new GDPR regulation in addition to data protection officers. This legislation is so broad that in order to truly abide by its dedicated resources are required.

March, 2019 – Double Feature: Denmark and Poland Fined Under GDPR

Danish company Taxa 4×35 – a large taxi company in Denmark.

The first Danish company to have been found guilty of GDPR violations is the taxi company Taxa 4X35 which was found to have just under 9 million stale customer records and missed the deadline set for deleting customer information.

According to Taxa 4×35, the information they used to service customers is anonymized after two years, since there is no longer any need to be able to identify the customer. It was revealed after an audit, however, that only the customer’s name is deleted after the two years – but no other personally identifiable information such as a telephone number or address. 8,873,333 records deemed to be personally identifiable were found to be older than two years old, the recommended fine so far is DKK 1.2 million (USD $180,079).

How could they have prevented this?

Having a strong understanding of what data you have is the first step in knowing what to do with it. With the right system in place, an organization can gain visibility on their stale data, sensitive data and enable it to remediate accordingly. 

Polish Supervisory Authority imposes GDPR fine for data scraping without informing individuals

Late March 2019, the Polish Supervisory Authority (SA) imposed a €220,000 fine against a company that was processing data it gathered from publicly available sources without informing the individuals concerned. Article 14 of the GDPR requires data controllers, who do not obtain personal data directly from the individuals concerned, to provide these individuals with information about how their data is processed within a reasonable time after obtaining the data (max. 1 month).

The company was found to have intentionally violated Article 14 GDPR motivated by a desire to avoid additional costs associated with informing the individuals about the processing of their data. In addition to the fine, the company was also ordered to inform, within 3 months of the decision, the individuals whose contact data it held.

How could they have prevented this?

Seeing as they had enough data on individuals to warrant a GDPR violation, they had the information needed to contact the individuals whose data they were selling. Cutting corners ended up costing them more than they would have spent on doing their due diligence in remaining GDPR compliant and properly informing their data subjects.

What can we learn?

1. Data access governance is critical, you should be able to answer these questions:
   • Where is your (stale/sensitive) data?
   • Who has access to your data and why do they need access to it?
   • How do you protect your data?
2. The GDPR is real, and it can be really expensive.
   • It cost Google 50 million and could have cost Facebook billions.
3. The GDPR can be broadly interpreted, dedicate some resources to data protection and compliance.
   • An entrepreneur was found to be in contempt of GDPR for installing a CCTV camera in front of their establishment which also recorded a large part of the sidewalk.
4. Effort counts
   • If you can answer the aforementioned questions, then you can prove that your organization is trying.
   • No organization is perfect, but organizations that can prove they have a strong system in place have been able to avoid fines after being investigated.

You can learn more about GDPR and compliance regulations and compliance solutions by visiting the STEALTHbits Website.