In a previous post, we looked at the highest GDPR fines to date. We thought it would be interesting to show what instigates fines like these, so now let's explore some common GDPR violations that have already zapped organizations. We looked at the effect, so now let’s look at the causes.
Why focus on these causalities? Weighing these two factors will give you an idea of what regulators are looking for and how badly it can hurt if your company is found not to be in compliance. It also shows the weaknesses in corporate data security postures and how to correct them proactively—before the badness occurs.
1. Failure to pseudonymize sensitive data
It's bad enough that the most common passwords out there are ones like password, 123456, or abc123. It's even worse when you realize that attackers don't even have to guess based on the little they know about the target, or run scripts to try to force their way in. You might as well just invite threat actors in.
The first-ever GDPR fine was issued to German online chat platform "Knuddels.de" after attackers were found canoodling with user passwords stored in the clear. Their fine was 20,000 EUR. In a similar situation, Facebook was fined 500,000 GBP for passwords stored in the clear, too.
You see, data protection is foundational to data privacy, which is why pseudonymization of personal and sensitive data is required by Article 32(1)(a). In the instances above, a mechanism of replacing personal and sensitive information that was in the clear with harmless “stand-in” data would have prevented the issuance of fines.
2. Failure to assess risk
GDPR Article 35 requires regular Data Protection Impact Assessments (DPIA) so that organizations are always aware of the level of risk they're assuming. This means that organizations can’t take a “one and done” approach but must, on an acceptable cadence, audit and assess ongoing risk. You don’t check your tires on your vehicle just once—you do it regularly to ensure ongoing safety. Unless you like blow-outs and flat tires. Same principle here.
So what can happen if you don’t assess risk ongoing? A Portuguese hospital, Centro Hospitalar Barreiro Montijo, was fined 400,000 EUR total for three violations related to allowing indiscriminate access to too many users, not applying appropriate technical and procedural measures to prevent sensitive data exposure, and most importantly to this point the inability to institute an ongoing process of risk assessment.
3. Failure to limit access
We love analogies to drive home a point, so here’s another one: it might be tempting and convenient to leave the gate propped open however briefly, but the gate's there for a reason and open gates should not be exposed to just about everybody. The same applies to personal data. If access is granted indiscriminately, that increases the risk of a subsequent compromising event.
Look at the example in #2 above. This same Portuguese hospital was fined 150,000 EUR as part of the overall fine structure. Article 5 (1)(c), which is a minimization principle, prohibits indiscriminate access to too many people. In this instance, over 900 user accounts with "doctor" level permissions were allowed, although less than 300 doctors actually worked there. This means that all patient data was accessible to all those designated as doctors, regardless of their specialization. Too much widespread exposure of sensitive data. Don’t leave the gate open for all!
4. Unauthorized collection of personal data
The first GDPR fine in Austria (think schnitzel and Alps, not kangaroos and Sydney Opera House) was issued to an entrepreneur for a CCTV camera that recorded not only the entrance to his establishment, but also a large portion of the sidewalk out front. So what’s the problem? The violator failed to post a sign which was visible to passers-by who were being recorded by the CCTV camera. They had no idea whatsoever!
This situation amounted to an unauthorized collection of data for two reasons. To begin with, large-scale monitoring of public spaces is generally not allowed under GDPR, and in addition, no identifying signage was posted to inform the general public in the vicinity that they were being recorded. Therefore, this act was deemed a failure to gain adequate consent from those being recorded.
Now, we want to leave you with some simple points to take out of all this:
- GDPR regulations are pretty clearly documented and articulated.
- Ignorance of or inability to understand these regulations is no excuse and certainly not a defense.
- All of these situations had corrective actions which could have been implemented in a fairly painless fashion.
- These regulations are being enforced, and they can result—as you see with these examples—in stiff fines and of course some egg on the corporate face, which can harm any company’s brand and customer trust.