Legendary comic duo Laurel and Hardy may be making their impact on the big screen this month, but also coming out of the shadow into the limelight are fines being imposed by those found to be flouting the General Data Protection Regulation (GDPR).
Across Europe, news of fines are starting to make headline news and unlike Stan and Ollie’s slapstick stage act, the financial cost of flouting GDPR is certainly no laughing matter.
And, if you are doing filming of your own – for example have CCTV cameras monitoring your premises – you need to very mindful of GDPR compliance, especially in the wake of the situation which led to one recent fine.
An Austrian businessman had CCTV at his premises which also recorded part of the pavement. The Austrian data protection authority regarded this as contravening GDPR, ruling that the monitoring of public places is not a legitimate interest for companies.
In addition, the area under the glare of the camera was not adequately marked, thus violating the GDPR’s transparency obligation. This business incurred a fine of €4,800 for what the Austrian DPA classed as illegal video surveillance.
Be aware – CCTV cameras capture images that allow you to identify individuals, so this does indeed fit within the GDPR’s scope of personal data. Premises should have the appropriate notices and signs in place and operators should ensure that systems are used for limited and specific purposes. Images that are being recorded must be relevant to those purposes, and recordings must not be retained for longer than necessary.
The Data Protection Authority in Portugal fined a hospital €400,000 in the country’s first GDPR fine. On inspection, the hospital was found to have deficiencies where there were 985 active accounts for doctors – but only 296 doctors working there. It also found that all doctors had access to all patient files, regardless of their specialty.
The hospital lost its argument that it was not responsible for these breaches as it used IT systems provided by the Portuguese Health Ministry.
Germany’s first fine was imposed on a social media company that had been found to have failed in its obligation to ensure data security of processing of personal data. A hacking attack saw the passwords and email addresses of 330,000 users stolen and published. It turned out that the company did not encrypt customers passwords, holding them in plain text, and it incurred a €20,000 fine.
GDPR came into force in May 2018 and drastically increased potential penalties on companies found to have misused or mismanaged clients’ personal data.
Fines that can be up to €20 million or 4% of total annual turnover were expected to be incurred as a last resort.
But examples are being made of organisations that do not comply; these contrasting examples show that data management practices need to be robust and underline that there will be no passing the buck.
Non-compliance is simply not worth the risk – a €4,800 fine would be a real blow to an SME. But it’s not just about paying a fine or replacing equipment, a lot more is at stake.
A breach means everything from mandatory reporting to keeping affected customers or clients informed. Think of the impact a breach could do to your firm’s reputation – customers could quite rightly question how seriously you guard their personal details.
Ignorance of the regulation is no excuse, Europe is now covered by the world’s strongest data protection rules and they must be adhered to.
A poll produced for Aon Insurers published last month showed many businesses still don’t know the rules around the GDPR or appreciate the risk to their company.
The SME and micro businesses poll revealed that more than half are confused by or even unaware of the rules around GDPR, while more than eight out of 10 don’t see cyber-attacks or data loss as a significant risk for their business.
The survey followed research by National Cyber Security Programme which demonstrated nearly half of UK businesses had experienced at least one cyber security breach or attack in 2017.
The enforcement date for GDPR has long passed, but data protection is an evolving beast and it’s my view that businesses may never achieve full GDPR compliance. Keeping on top of data can be challenging, when business services and clients are changing and things don’t always go to plan.
In the UK, the Information Commissioner’s Office (ICO) has stated that it wants to work with companies rather than penalise them – but that doesn’t mean that organisations can avoid becoming GDPR compliant.
A measured approach is being taken towards enforcement and these European cases serve to highlight examples were basic requirements were not met. So, it’s important for organisations to take stock, prioritise and act towards implementing GDPR.
For any business that is unsure if it is compliant, help is out there. Check out this guide on the ICO website
By Austen Clark, managing director of Clark Integrated Technologies
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/