After more than a year of relative silence, this month, the Romanian Data Protection Authority announced 2 fines in 4 days: EUR 130.000 for a top bank in Romania and EUR 15.000 for a large hotel.

We are talking about large companies where it’s very likely that their IT managers were able to show the authorities a host of measures put in place to prevent outsiders from accessing, changing or deleting the company data.

So how did they got fined for reasons like “failure to implement appropriate technical and organisational measures” and for “data security breach”?

As a provider of software that helps businesses manage their GDPR compliance, we got people asking us this question, so we looked to see if any lessons could be learned from it to help other companies.

What happened

  • The first incident was about including the personal identification number and the payer’s address on the bank statement of the payment recipient.
  • The second one consisted in someone taking a photo of the list of guests that had breakfast one morning at the hotel.

That’s it. No hackers that circumvented the firewall. No phishing campaign that stole passwords from customers. No IT security controls that failed.

A possible explanation

GDPR compliance programs for large organizations can be incredibly complex.

You might think that a large business has many people and resources allocated on compliance, but in many cases, they are thinly spread across multiple topics.

With limited time and resources, DPOs and compliance teams might naturally tend to prioritize their time and budget on managing the lawfulness aspect of the processing.

This is especially true if they know their IT department is very strong and they underestimate the size of the gap between the security risks for business and the privacy risks for data subjects.

Unfortunately, in these 2 cases, these incidents would have no impact at all from a business perspective. The guests list was still there. The additional information on a bank statement did not create any extra cost or loss.

IT security could not help here. Only a detailed privacy risks analysis, conducted from the perspective of the impact on the data subjects, could have identified and mitigated these risks.

What can your business do to prevent this kind of incidents?

Establishing controls to prevent these incidents would have been trivial.

The hotel list of guests should never have been accessible for guests or left unattended. And the bank statement could have been analyzed to see if there is any information that wasn’t really needed there.

The real problem was anticipating the problems. There was no system malfunction for any of these 2 companies. Nothing in their IT logs to indicate a breach. No money lost or resources missing. No signal that things went wrong.

Unless you have a magic crystal ball, the only way to find issues like these before they happen is to use a methodical approach to GDPR compliance.

This means:

  • identifying the processing activities and relevant data supporting assets.
  • determining the potential impact for data subjects for each privacy risk.
  • conducting an assessment of existing and planned controls on each data asset in order to make sure the likelihood of the risk is as low as possible and the overall risk level for the activity is acceptable.

If this sounds like a lot of work… that’s because it is.

Becoming GDPR compliant is an ongoing process, requiring periodical involvement from every department and coordination between multiple people, with management support.

The good news is: even for large projects there are ways to stay in control. Find 30 minutes for a demo with us and we’ll show you how to do it.