Last month, France’s data protection authority, the CNIL, imposed a €150,000 fine on a data controller and a €75,000 fine on its data processor for their failure to implement adequate security measures.
The ruling followed a credential stuffing attack against the data controller (which the CNIL didn’t name), in which the personal data of 40,000 people was compromised.
What’s noteworthy about this incident is that both the data controller and processor were punished.
It’s a reminder that third parties can be held accountable for data breaches under the GDPR (General Data Protection Regulation), and that everyone must be aware of their compliance requirements.
Why are data controllers and data processors both accountable?
Data controllers and data processors perform similar – but distinct – tasks under the GDPR.
A data controller is the person or group that decides when and why an organisation collects personal information, whereas a data processor is the organisation that does the legwork.
For example, a marketing executive at a retailer hires a company to conduct a survey on shoppers’ browsing habits. The retailer is the data controller, and the company conducting the survey is the data processor.
Under the GDPR, both parties must agree to a set of practices that ensure that the Regulation’s requirements are met. This includes provisions regarding the six data processing principles set out in Article 5:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
In the case of the fine imposed by CNIL, it is likely that the data controller either failed to address these principles (particularly regarding integrity and confidentiality), or it wasn’t vigilant enough to make sure that the data processor met its contractual obligations.
This is not a one-off incident. Last year, 45% of all GDPR fines related to violations of Article 5, demonstrating that data controllers and processors must become more accountable.
If you’re unsure what your responsibilities are as a data controller or processor, we recommend our Certified GDPR Foundation Training Course.
This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the Regulation and its rules.
It is ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance, and is available in a variety of forms, including online and self-paced.