It’s official – the GDPR is one year old. In its first 12 months, the European Commission has demonstrated strong yet measured implementation, with fines totalling over €56 million hitting 91 companies, including €50 million against a single organisation. A significant amount, yet a fraction of the full 4% of companies’ total global revenue they could have levied – a difference of billions.
As enforcement begins, the commission seems to be leaning towards a constructive approach – with some members stating publicly they do not wish to put companies out of business, or leverage a fine so large a company would be incapable of fixing the problem. The goal seems to be to incentivise companies to fix the problem, while letting them know that if they do not, the fine could get worse. As time goes on, this approach will likely change.
- The first real test of GDPR
- What's been done for data privacy since GDPR?
- Majority of companies still aren't GDPR-compliant
First fine under GDPR
Today, the commission seems to be rewarding good behaviour as much as it is punishing bad behaviour. A perfect example of this is the first company to be fined under the GDPR, a German social media platform called Knuddels. On first glance, the offense seems to be a major one, a data breach that compromised the email addresses and passwords of 330,000 users. Yet the fine was relatively small, only €20,000, compared to what Knuddels could have been charged. The commission noted that the company proactively and quickly notified the German data protection authorities and customers. They also worked quickly to implement the security procedures that were recommended to address the breach.
In contrast to the commission's response to the Knuddels breach, consider the response to multiple breaches by a Centro Hospitalar Barreiro Montijo, a hospital in Portugal. They were fined €400,000 and didn't even technically have a breach. It was perceived, though, that they ignored one of the core concepts of the GDPR, which is security by design and by default. The hospital allowed indiscriminate access to patient records by an excessive number of users - there were 985 profiles with the access level of a doctor, but there were only 296 doctors in the hospital. To make matters worse, all doctors could see all patient records – even records of other doctors’ patients.
It appears the commission felt these and other actions demonstrated the hospital was consciously violating the GDPR, knowing that its acts were prohibited by law. Although the hospital did take steps to correct the issue once identified, it appeared they were essentially ignoring the GDPR until someone came knocking on their door. The result was a €400,000 fine – which was still much smaller than it could have been.
Largest fine under GDPR
The largest GDPR fine to date was against Google because the commission said people were "not sufficiently informed" how Google collected and used their data. The commission indicated that Google did not gain proper consent to collect data and use it. Google's European headquarters are in Ireland, but the French privacy watchdog had no problem levying the €50 million fine on a company from a completely different country.
One of the most controversial aspects of the GDPR – at least in the storage industry – is an individual’s right to ask that their personal information be deleted if a company has no valid business reason to keep it. Many companies do not store data in a way that makes it easy to delete – especially when it comes to secondary copies of data like snapshots, backups, and archives.
End of the era of leniency
While the commission may have begun with a more measured, constructive approach - public comments suggest this is about to change. Fines were low to urge companies towards compliance, and afford additional time to make corrections. That period will may end sooner than many expect.
In the coming years, companies must take the core tenants of the GDPR more seriously than ever before, with robust, secure data governance at the foundation of virtually every aspect of business. Data governance in direct compliance with the GDPR is no longer an area where companies can come “close,” or “work towards.” The era of leniency will soon be at an end.
W. Curtis Preston, Chief Technologist at Druva
