GDPR Compliance — The Fines Have Begun!

Published On September 10, 2019

GDPR compliance has been a major talking point among information governance professionals for quite some time. Unfortunately, some organizations have now run afoul of the law, making the promised fines a reality for the non-compliant.

GDPR’s First Fines Are Nothing to Sneeze At

A recent article from Lexology’s Technology Law Dispatch relates a ruling in May of this year made by the French data protection authority, Commission Nationale de L’informatique et des Libertés (CNIL), that imposed a fine of 400,000 euros on a French property management company, for failure to comply with the regulation to maintain the security and limit the storage of personal data. This 400,000 euros represents close to 1% of the net revenue of the company.

While this was the first such fine for GDPR compliance failures in France, it is not unusual. Another report from Lexology states that the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) imposed fines in two separate cases of data infringement and violation of the General Data Protection Regulation (GDPR).

In the first case, NAIH imposed a fine of 100,000 Hungarian forints on an unnamed social and child welfare institution for a late data breach notification. The organization had sent nine letters to the wrong recipients that contained sensitive information on 18 people, including contact information for children and their families, criminal-record data and information related to child-protection proceedings.

In the second case, NAIH issued a fine of 30,000,000 forints against one of Hungary’s largest multicultural music and arts festivals. The violation pertained to the festival organizer’s security screening procedures of photocopying hundreds of thousands of festival guests’ identification documents and taking photos at the entry gate. The fine represented 2.3% of the company’s net revenue.

Review Your Plan

Did those numbers get your attention? These are the first fines to be imposed under GDPR compliance procedures and they will not be the last. Compliance with the regulation is not a difficult task. Compliance policies and procedures are industry standards for information governance. Here are some basic steps to ensure your organization complies with the regulation:

1. Have a fully documented information governance program led by a central figure or group in charge of the program to monitor compliance.
2. Maintain a fully documented training program to prove everyone that handles client data has been fully trained on how to comply with the regulatory requirements.
3. Identify and document where all personally identifiable information (PII) is stored within your organization’s systems.
4. Ensure all PII is securely stored and fully removed from all systems when no longer needed. This means complete data access logs, end-to-end encryption, and documented expungement procedures and logs.
5. In the advent of a breach, have a documented procedure in place that notifies everyone affected in the prescribed time frame, which is currently within 30 days.

Of course, all the procedures in the world mean nothing if they are not followed, which has disastrous consequences. There must be a rigorous internal audit process in place to ensure all policies and procedures are followed. My policy is always, “Trust, but verify.”

As many people have being saying for a while, this regulation is no joke. GDPR compliance is a critical issue for any organization that has clients in the European Union. If your organization is not fully compliant now, you should still have a documented plan ready should an audit occur, so that you can at least demonstrate a good faith effort toward compliance. It might not help in the long run, but it’s better than having nothing at all.