One year ago in May 2018, the GDPR came into force. Shortly before, many companies were in a panic: what did they still need to sort out and what fines might be hanging over their heads if they couldn't do this in time? In Belgium, it seems that so far things haven't been that bad. But this is now about to change. We can already learn lessons from the sanctions that have been imposed in other countries.
In Belgium, the appointment of the five directors of the Data Protection Authority (DPA), the former Privacy Commission, only took place in late March 2019. Because this appointment took so long, monitoring around the GDPR in our country was delayed. After all, it is the job of the executive committee to, among other things, monitor compliance with the GDPR regulations and provide companies with information on how to handle personal data. Since the DPA has only recently been able to actively carry out this mission, we can expect a catch-up process. What this means in practice can be deduced from what has already happened in other European countries.
Common GDPR violations
If we look at the fines that have already been imposed in connection with the GDPR, we can divide them into three categories: consent, security and end users.
The consent for the use of data is regulated far more strictly, due to the GDPR, than it was in the past. So companies that send spam or have call centres that contact people randomly can expect a sanction. Many British companies have now experienced this. The 'consent' category, of course, also includes the notorious opt-in for online advertisements. This is precisely why many websites now work with pop-up windows that inform you about the use of your data. In France, Google received the first large GDPR fine – 50 million euros – because it was judged that when end users created an account they were not sufficiently and clearly informed about the use of their data. In addition, the 'receive personalised ads' box was checked in advance, which contravenes the conditions for consent. With visual material too you have to be more careful than ever. Filming someone without their explicit consent is absolutely not allowed. For instance, a British TV crew that was just filming in a maternity ward was fined about 140,000 euros.
By ‘security’ we mean all the security procedures for personal data, including ‘identity & access management’. As a company, you must ensure that all systems are properly protected so that personal data are protected from unauthorised users. If there is a data breach, for example due to a virus or a hacker, you are required to report this. Uber failed on this front and as a result it received fines in the Netherlands, France and the United Kingdom totalling almost 1.5 million euros. Because of a data breach at Uber, unauthorised persons accessed the personal data of customers and drivers – names, e-mail addresses and telephone numbers. Worldwide, about 57 million Uber users were involved. The Netherlands and France imposed the fine because Uber did not report the data breach within 72 hours but only after a year, while in the United Kingdom it was judged that Uber had not taken sufficient action to avoid the problems. For example, online access to the data was not properly secured.
The end users are often the weakest link in the security chain. How can you be sure that they are handling confidential information securely? This was definitely not the case at the Centro Hospitalar Barreiro Montijo, a hospital in Portugal, where employees with fake profiles were able to view medical records. This resulted in a fine of 400,000 euros for the institution. The Portuguese example involved a deliberate violation by the end users, but this is not always the case. In the United Kingdom, for instance, the Gloucestershire police force certainly did not intend to send an e-mail containing sensitive information about abuse victims to 56 people, but still it was fined 93,000 euros.
You can read more examples of GDPR violations in the blog of Herman Maes.
Avoid GDPR fines
So what is the GDPR concerned with now, and should you as a company actually start worrying about massive fines? No, because the basic rules of the GDPR have been around for much longer than a year. For companies that value their reputation and their customer experience, respectful and secure handling of sensitive personal data is self-evident. Of course, you may want to have checks done to see if your infrastructure and your data are sufficiently secure, and it never hurts to review internal procedures and to remind your employees of their responsibilities.