Data protection expert recommends: What can be learned from the biggest mistakes?

European data protection supervisory authorities have imposed fines amounting to €107.3 million for GDPR violations in the first six months of this year. The cases indicate that the awareness of protecting people's data among companies and public institutions needs improvement, noted Krete Paal, CEO of GDPR Register.

Krete Paal, CEO of the startup GDPR Register, pointed out that the fines imposed this year provide a very good overview of common issues in the field of data protection. "Certainly, awareness is greater today and the situation in the field of personal data protection is much better than a few years ago, but the fines imposed this year clearly show that there is room for improvement. For instance, strong data security measures are the key today, and many of this year's fines were primarily due to the implementation of inadequate security measures," said Paal.

The largest fine this year was imposed on the Italian energy company Enel Energia SpA, which was fined €79.1 million. The company failed to implement data security measures, allowing unauthorized access to their customers' personal data. Violations included unsolicited marketing calls to customers who had not given consent and insecure sharing of access rights and passwords among employees.

UniCredit was fined €2.8 million in Italy for insufficient security measures. Following a data leak, it was revealed that the company had not applied adequate security measures to limit access to personal data, making people's data freely accessible to everyone.

Another major concern is the transparency in the use of data and the practices of obtaining consent from individuals. "Recent cases, such as the €13.9 million fine imposed on Avast Software, highlight the need for clear communication between the individual and the data processor. Avast, an antivirus software company, sold its customers' personal data to marketing companies for profit. When a company or institution asks for consent to process data, it must be compliant and clearly understandable," explained Paal.

Protecting employee privacy is crucial

The French supervisory authority fined Amazon France €32 million for using surveillance systems that infringed on employee privacy. Amazon monitored the employees in its French warehouses through scanners and video cameras to assess their productivity. The data protection authority concluded that Amazon did not need the collected data for work planning. Additionally, employees were not adequately informed about the video surveillance, causing undue stress.

It is also essential to report violations promptly. In Poland, the local bank Santander Bank Polska faced widespread criticism for not promptly informing affected individuals and authorities about a discovered violation. This oversight resulted in a hefty fine of €326,000 for the bank.

Finnish online retailer Verkkokauppa.com was fined due to a lack of clear data retention policies. "The retention of personal data must be well thought out and justified, and unnecessary retention of personal data should certainly be avoided," emphasized Paal.

Based on the mistakes made this year, the data protection expert provided five recommendations for better compliance with GDPR requirements and avoiding fines:

Implement comprehensive data security protocols: Regularly update and test security systems and protocols to protect personal data from unauthorized access and breaches.

Ensure transparency and obtain valid consent: Conduct periodic audits to ensure that consent mechanisms comply with GDPR requirements and provide clear information.

Balance monitoring practices with privacy rights: Develop and implement monitoring systems that respect employee privacy and offer clear notifications about monitoring practices.

Create clear response plans for data breaches: A response plan for data breaches should include procedures for timely notification to authorities and affected individuals.

Define and follow data retention policies: Update the data processing registry and implement systems for deleting data according to defined retention policies, minimizing the retention of unnecessary personal data.

 

Developed in collaboration with IT experts, GDPR Register by the Estonian startup makes GDPR compliance simple and logical, helping companies and institutions efficiently manage the processes, actions, and documentation associated with GDPR regulations.