New GDPR Fines Bring Important Lessons for Organizations Big and Small
The last several weeks have been active ones in terms of data privacy protection. In the wake of massive fines to Marriott and British Airways a few months ago, there was a slight – very slight – lull. Since late October, two new fines have been levied that bring instructive lessons for organizations looking to avoid a similar fate.
The first fine, levied against German property management firm Deutsche Wohnen on October 30, 2019, totaled €14.5 million. Based on the statements released by the Berlin Commissioner for Data Protection and Freedom of Information, Deutsche Wohnen illegally maintained an extensive database of tenant information, including detailed personal and financial data, despite there being no business requirement to do so. The fine follows warnings that were provided to Deutsche Wohnen in 2017 relating to their data archive practices.
The lesson to be learned from Deutsche Wohnen is an important one. Namely, the organization’s fine resulted not from a data breach or misuse of sensitive data, but merely from the possibility of such an event occurring because of poor sensitive information management practices. Indeed, the original penalty under consideration was €28 million, with this figure being reduced on the basis that no actual damage to data subjects had occurred.
The second instructive fine to occur in recent weeks comes from France. On November 21, 2019, the French Data Protection authority (CNIL) penalized small energy company Futura Internationale (a firm with about 100 employees) with fines totaling €500,000. Futura Internationale used sensitive subject data for direct marketing purposes, contacting subjects via cold calls and digital marketing without providing a means for addressing Subject Access Requests (SAR) for data disclosure, data modification, or data removal (i.e. opt-out). Indeed, at least one subject filing complaints against Futura Internationale went so far as to visit the company’s headquarters in order to stop receiving calls, to no avail.
The message from cases like Futura Internationale is a critically important one for small and medium businesses – namely, GDPR isn’t just a requirement for big companies. GDPR is a new reality impacting all businesses, regardless of their scale of operation. Providing diligences in terms of the systems and processes needed to safeguard sensitive data and ensure responsive handling of Subject Access Requests is not a luxury, it is a cost of doing business. Done properly, strong data stewardship has the potential to foster customer loyalty, enhance brand equity, and grow topline revenues.
Since its release in May of 2018, GDPR has changed the information governance landscape. What was once a largely theoretical domain has for many companies become all too tangible through fines or negative publicity. Nyxeia works with some of the world’s leading private brands and public sector organizations to help them adapt to the new information governance reality and to exceed customer and regulator expectations concerning the protection of sensitive information throughout its entire lifecycle.