Despite the difficulties that organisations face during the COVID-19 pandemic, regulators are continuing to enforce the GDPR (General Data Protection Regulation).
In the past 3 months, 46 administrative fines have been issued across the EU, accounting for almost €3 million in fines.
What kinds of mistakes are leading to these penalties? Let’s take a look at some of the most notable actions that regulators have taken recently.
Tusla penalised for breaching children’s personal data
In May, Ireland’s child and family agency, Tusla, received a €75,000 fine after it disclosed the personal information of children to unauthorised parties on three occasions.
In one instance, the contact and location data of a mother and child was disclosed to an alleged abuser. The other cases related to personal data about children in foster care being disclosed to blood relatives.
A spokesperson for Tusla said the organisation didn’t intend to contest the fine and will accept and respect the DPC (Data Protection Commission) decision.
“Tusla is acutely aware of its responsibilities in relation to the very sensitive data we work with on a daily basis,” she said.
“Such information is generated in several hundred thousand interactions every year.
“We have fully engaged with the DPC in their three investigations which are largely based on breaches identified by Tusla and reported to the DPC in a timely fashion.
“The main focus of our work with the DPC is in setting out improvement plans and more importantly implementing those. These reforms do take time in a complex and challenging environment.”
AOK fined for failing to meet consent requirements
In June, the Data Protection Authority of Baden-Württemberg fined the German health insurance firm AOK €1.24 million for failing to implement appropriate technical and organisational security measures.
The organisation had collected personal data as part of a series of lotteries between 2015 and 2019. However, internal errors led to 500 competition winners receiving adverts without their consent.
AOK did have some GDPR compliance practices, including internal policies and data protection training for staff, but the Data Protection Authority determined that these weren’t adequate.
The organisation cooperated and took immediate action to rectify the situation. Given that and the relatively low number of people affected, the size of the fine surprised many.
JobTeam hit with DSAR penalty
In May, the Danish Data Protection authority proposed a fine of DKK 50,000 (about €6,700) for the recruitment firm JobTeam.
It was found to have deleted personal data after an individual had submitted a DSAR (data subject access request).
Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority, commented:
“Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts.
“This is a violation of the citizen’s fundamental rights and is not an example of good data processing.”
How to avoid GDPR fines
GDPR fines can be disastrous for businesses – not only because of the financial penalty but also the reputational damage that comes with it.
There will be news stories like these breaking down the mistakes you’ve made, giving existing and potential customers reason to think twice about using your services.
The loss of revenue that comes from this will linger for months, if not years, which is why so many organisations struggle to recover from security incidents.
You can ensure this doesn’t happen to your organisation by regularly reviewing your compliance practices to make sure the correct procedures are in place. An ideal place to start when doing that is our GDPR Toolkit.
Designed and developed by data protection experts, this toolkit contains a complete set of easy-to-use documentation templates, which will help formalise your approach to GDPR compliance while saving you time and money.
But it’s more than simply a set of templates. It also includes:
- Gap analysis and data protection impact assessment tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.