The penalty for failure to comply with the General Data Protection Regulation (GDPR) is up to $22 million or 4% of annual global turnover (whichever is greater). By now most organizations around the globe know that regardless of where they are based, this regulation affects them if they are doing business with EU citizens. Aside from having a responsibility to properly handling personal data, that amount of money can really hurt your business. For example, under the Data Protection Act of 1998, Facebook was fined £500,000 (US $650,337) for the Cambridge Analytica scandal – if this had happened 8 months later that number would have been around $1.7 billion.
In this article, I will outline which organizations have already been affected, why they were fined, how much it cost them, and how they could have avoided it using StealthAUDIT.
Four months after the introduction of the GDPR, the Austrian Data Protection Authority (DSB) has issued its first fine after stating that the DSB will at first enforce only remedial powers for first-time infringers. As such, this first fine of EUR 4,800 was delivered to an entrepreneur who was found to be in contempt of GDPR for installing a CCTV camera in front of their establishment which also recorded a large part of the sidewalk. The DSB had found this to be in violation of the GDPR, as the large-scale monitoring of public spaces is forbidden under the GDPR. Since this CCTV camera was also not appropriately marked as conducting video surveillance, the applicable transparency obligations had not been fulfilled.
While the sum of the fine was moderate, the precedent of what a data protection regulator can find a company in violation of the GDPR for is significant.
How could they have prevented this?
Knowledge. There is no substitution for having a qualified data protection officer who is aware of potential GDPR infractions. This small fine is just scratching the surface when it comes to areas an organization will need to be aware of, hire qualified people or pay the price.
Germany’s first fine under the GDPR was enforced on the chat site called Knuddels.de, one of Germany’s largest chat platforms. The data protection watchdog Baden-Württemberg discovered that 1.87 million username/password combinations and over 800,000 e-mail addresses were dumped on Mega.nz and Pastebin.com. Knuddels.de was fined €20,000 following the breach which affected 330,000 users, including their passwords and e-mail addresses.
How could they have prevented this?
The probe showed that the site was storing the passwords in plain text, which is what justified the fine. Using data security software like StealthAUDIT which has the capability to detect plain text passwords, weak passwords and much more – Knuddels.de would have been well aware of this vulnerability.
“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a),” reads the statement by the data protection authority. The provision concerned of the European Union’s General Data Protection Regulation(GDPR) covers “the pseudonymization and encryption of personal data”.
In July of 2018, the Portuguese Supervisory Authority (CNPD) fined a hospital for €400,000 under the GDPR.
According to reports, the CNPD investigated the hospital and found that the hospital’s staff, psychologists, dietitians, and other professionals had access to sensitive patient data through fake profiles.
The hospital’s profile management system revealed that although the hospital only had 296 doctors, there were 985 registered doctor profiles. To make matters worse, all doctors had unrestricted access to all patient files without regard for the doctor’s specialty. The hospital countered that it was using the IT system provided to public hospitals from the Portuguese Health Ministry to no avail – the CNPD ruled that it is the hospital’s responsibility to make sure that whatever IT system it uses complies with GDPR standards.
How could they have prevented this?
There are several ways this hospital could have prevented this issue beginning with a data access governance plan. Managing your users and accounts can be daunting especially with the added pressure of the GDPR compliance regulations. With the proper user management system in place, this hospital could have easily remediated unnecessary access and removed the extra accounts ultimately avoiding this fine and protecting its patients.
The first complaint under the EU’s new GDPR regulation was filed against Google the very same day that the legislation took effect on May 25th, 2018 and by January of 2019, Google was facing a 50 million Euro fine which is the largest fine to date.
Google has been fined by France’s data regulator, having been cited for a lack of transparency and consent in the use of advertising personalization, including a pre-checked option to personalize ads. The regulator claims it judged that individuals were “not sufficiently informed” as to how Google was collecting its data to personalize advertising.
How could they have prevented this?
2. Proper consent
The regulator also found that Google had failed to obtain an actual legal basis for processing user data.
Danish company Taxa 4×35 – a large taxi company in Denmark.
The first Danish company to have been found guilty of GDPR violations is the taxi company Taxa 4X35 which was found to have just under 9 million stale customer records and missed the deadline set for deleting customer information.
According to Taxa 4×35, the information they used to service customers is anonymized after two years, since there is no longer any need to be able to identify the customer. It was revealed after an audit, however, that only the customer’s name is deleted after the two years – but no other personally identifiable information such as a telephone number or address. 8,873,333 records deemed to be personally identifiable were found to be older than two years old, the recommended fine so far is DKK 1.2 million (USD $180,079).
How could they have prevented this?
Having a strong understanding of what data you have is the first step in knowing what to do with it. With the right system in place, an organization can gain visibility on their stale data, sensitive data and enable it to remediate accordingly.
Polish Supervisory Authority imposes GDPR fine for data scraping without informing individuals
Late March 2019, the Polish Supervisory Authority (SA) imposed a €220,000 fine against a company that was processing data it gathered from publicly available sources without informing the individuals concerned. Article 14 of the GDPR requires data controllers, who do not obtain personal data directly from the individuals concerned, to provide these individuals with information about how their data is processed within a reasonable time after obtaining the data (max. 1 month).
The company was found to have intentionally violated Article 14 GDPR motivated by a desire to avoid additional costs associated with informing the individuals about the processing of their data. In addition to the fine, the company was also ordered to inform, within 3 months of the decision, the individuals whose contact data it held.
How could they have prevented this?
Seeing as they had enough data on individuals to warrant a GDPR violation, they had the information needed to contact the individuals whose data they were selling. Cutting corners ended up costing them more than they would have spent on doing their due diligence in remaining GDPR compliant and properly informing their data subjects.
What can we learn?
You can learn more about GDPR and compliance regulations and compliance solutions by visiting the STEALTHbits Website.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply