France’s national data protection authority (CNIL) has fined rental car company Hertz France after it left customers’ personal data accessible online.
The CNIL, which was informed of the vulnerability on 15 October 2016, found that 35,357 customers were affected. The source of the flaw was a coding error written by a third-party service provider responsible for designing Hertz France’s website. The CNIL deemed that Hertz France was negligent in overseeing the actions of its service provider, but was lenient in its penalty because the company quickly resolved the issue once it was aware.
‘A strong signal’ that change is needed
This is the first time the CNIL has imposed a financial penalty for a data breach, having been given the power to do so in a 2016 update to the country’s data protection laws. The French Digital Republic Act came into effect on 7 October 2016 – just over a week before the CNIL was informed of this incident – and is intended to bridge the gap between previous data laws and the EU General Data Protection Regulation (GDPR).
According to Gabriel Voisin, an international privacy and data protection partner at Bird & Bird, who was speaking to Bloomberg BNA, the CNIL’s fine “is a strong signal for organizations that they must make sure that they have implemented appropriate security measures” to protect users’ personal data.
With the GDPR’s strict compliance requirements and strong penalties, all organisations should be assessing their security measures ahead of the May 2018 deadline. If the CNIL’s fine has the effect that Voisin hopes, it will be a much-needed change. Last year, the CNIL discovered that another French car-sharing website, OuiCar, had exposed customers’ personal data in a similar third-party coding error. However, because the incident was discovered and investigated before France amended its data protection law, OuiCar was not fined.
The GDPR’s accountability principle states that organisations have to not only comply with the GDPR but also demonstrate compliance. This includes keeping up-to-date records of processing activities and sharing these records with data protection authorities upon request.
Our documentation toolkit reduces the burden of developing the necessary documents to achieve compliance, as they contain a full set of policies and procedures that organisations need to comply with the GDPR. You can also:
- Get professional guidance on GDPR compliance obligations and personal information best practices.
- Make sure that you have adequately identified risks to personal data and are able to put in place the necessary controls in order to protect your data.
- Embed the documentation into your organisation quickly and easily by using the pre-formatted templates.
- Integrate GDPR documentation with your ISO 27001 documentation, reducing duplication.