No Organization or Violation Is Too Small to Avoid Costly Penalties.
Since the EU’s General Data Protection Regulation (GDPR) took effect in May 2018, EU authorities have issued more than 370 million euros in fines. The headlines about GDPR enforcement have been dominated by a few well-known companies hit with big penalties: $57 million for Google, $123 million for Marriott International, and $230 million for British Airways.
If you’re an executive following these stories, you might walk away with the mistaken impression that European authorities are prosecuting only multinational corporations for massive data breaches or privacy violations. But authorities in EU member states haven’t hesitated to issue significant fines to smaller organizations, sometimes for seemingly minor infractions.
Broadly, EU data protection authorities can fine any organization (or private citizen) that collects or processes personal information of EU residents and fails to obtain appropriate consent, does not have an adequate legal basis for collection, does not have appropriate security in place to protect such data, or fails to comply with individuals’ right to access, alter, and delete their data.
Executives in the European Union and beyond can learn valuable lessons from these lesser-known GDPR fines. Here are a few particularly interesting cases of GDPR violations the EU authorities are pursuing, and ways your business can avoid being fined for noncompliance.
"Doing business in the EU? Even if you’re not a Facebook or Google, there are lessons to be learned by the track record of significant GDPR fines for smaller companies."
Dutch Insurers Hit With GDPR Fine for Not Using MFA
Dutch public insurance company UWV was penalized for neglecting to implement adequate security measures when processing health data. According to the National Law Review, UWV had a public portal where employers could submit the dates of employee absences due to illness, pregnancy, or parental leave. Though employers did not specify what medical situation employees missed work for, even alluding to the fact that someone had been sick still qualified this as “health data,” which is highly protected under the GDPR.
UWV was prosecuted under Article 32 of the GDPR, which mandates that organizations “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” The Dutch supervisory authority deemed that UWV violated Article 32 by failing to implement multifactor authentication (MFA) in its portal. With MFA, logins require an additional form of authentication, such as a one-time code or a biometric credential. This form of login is more secure than simple username-password combinations, which are vulnerable to improper access and credential stuffing attacks.
UWV is far from the only organization to be penalized for inadequate security. According to GDPR Enforcement Tracker’s database, there have been 37 fines levied to date under Article 32, making it the third-most-quoted article in enforcement actions, after articles 5 and 6. While 5 and 6 are quite broad in scope and could be considered catchalls, Article 32 singles out organizations with inadequate technical safeguards on personal data, whether that data was exposed or not.
UWV was made to conduct a privacy impact assessment and was given a year to put improved security in place, after which they would be fined €150,000 per month, with a maximum fine of €900,000.
How to avoid this type of GDPR fine: First, determine whether your business processes information that falls under one of the GDPR’s special categories of personal data, which is defined as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Any organization that engages in this type of data processing (even if, like UWV, it only obliquely alludes to it) will be held to a higher standard of data protection. That means it’s a good idea to put MFA in place to achieve GDPR compliance, and not just for your end-users but your employees as well. In a similar case in the Netherlands, a hospital was fined €460,000 for not having two-factor authentication in place to prevent staff members from improperly accessing the medical records of a Dutch celebrity.
Misplaced Files Earn a Hefty GDPR Fine
Norway’s supervisory authority fined the municipality of Bergen €170,000 under articles 5 and 32 of the GDPR. This case came to light after a student in a local school discovered that several files, containing login credentials for 35,000 students and employees, were accessible to the public. This oversight was exacerbated by the fact that the school system also didn’t have MFA in place, so anyone who had login credentials could then access the school’s digital learning platform, which contained highly personal information, such as schoolwork and teacher evaluations.
Norway’s data protection authority, Datatilsynet, said the size of the fine was partly due to “aggravating factors.” Specifically, they cited the fact that the majority of the data subjects were children, and that the town had been warned repeatedly, both by outsiders and “an internal whistleblower,” that it needed to improve its data security.
How to avoid this type of GDPR fine: As Datatilsynet explained in its decision: “In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection.” So any business that processes the data of minors must exercise special care, both in ensuring that data is secure and in obtaining consent.
Also, this fine speaks to how imperative it is for every company to get a clear view of where their data is and who can access it. A good place to start is a user management system, with a dashboard that lets you easily grant and revoke permissions to sensitive data and delete it on request, by data subjects' rights under the GDPR.
"The pace of GDPR is expected to pick up in 2020. Discover what even smaller companies need to do to avoid significant fines."
Similar Data Breaches, but Very Different GDPR Fines
In the summer of 2018, German social media company Knuddels and EU fintech company MisterTango each suffered data breaches that exposed personal information, but they were treated very differently by authorities.
Knuddels got away with a €20,000 administrative fine under Article 32, which German supervisory authorities attributed to its transparency, cooperation with authorities, and efforts to institute additional security measures.
MisterTango, meanwhile, was fined €61,500 under articles 5, 32, and 33. Lithuania’s data protection authority held the company to account for failing to report their security breach to the Information Commissioner’s Office(ICO) within the requisite 72 hours. This initial misstep triggered an investigation, which revealed that MisterTango was collecting data with an insufficient legal basis and storing it for too long and had only one employee charged with handling data security.
How to avoid this type of GDPR fine: Both Knuddels and MisterTango made significant data security errors. Knuddels stored unencrypted versions of its users’ credentials, and MisterTango inadvertently exposed customer data in a public setting. There are lessons here about the importance of anonymizing personal information and keeping close track of data.
The biggest lesson, however, is in the vast disparity of the fines for two similar violations. Knuddels minimized the damage by coming forward about the security breach immediately and devoting adequate resources to ensure it would never happen again. EU authorities have emphasized that they will be more lenient with organizations that act in good faith and can show a commitment to fixing mistakes and prioritizing cybersecurity. By devoting adequate resources to data privacy—such as partnering with an expert third party like Auth0—you can prove that your business is serious about getting GDPR compliant.
Embrace GDPR Compliance Now or Risk Penalties Later
What these fines should teach us is that no one who processes the data of EU citizens is small enough to pass under GDPR’s radar. (That even includes private individuals, like the man who was fined €300 by Austria’s data protection authority for illegally using a dashcam.)
The pace of regulatory actions under the GDPR is expected to only increase in the coming year, and all it takes is a single individual’s complaint to trigger an investigation. Given the potential costs of GDPR infringement, along with the new data protection laws coming into effect around the world, now is the time to put appropriate security measures in place and prove that you’re serious about protecting personal information. If you’d like to learn how the right identity management partner can be part of the solution, don’t hesitate to reach out to Auth0’s experts today.