Data protection expert urges: What can be learned from the biggest mistakes?

European data protection supervisory authorities imposed €107.3 million in fines for GDPR violations in the first half of this year. These cases highlight a significant need for increased awareness and compliance with data protection regulations among companies and public institutions, according to Krete Paal, CEO of GDPR Register.

Krete Paal, CEO of the startup GDPR Register, pointed out that the fines imposed this year provide a very good overview of common issues in the field of data protection. "Certainly, awareness is greater today and the situation in the field of personal data protection is much better than a few years ago, but the fines imposed this year clearly show that there is room for improvement. For instance, strong data security measures are the key today, and many of this year's fines were primarily due to the implementation of inadequate security measures," said Paal.

This year's largest fine was levied on the Italian energy company Enel Energia SpA, amounting to €79.1 million. The company was penalised for failing to implement adequate data security measures, which resulted in unauthorised access to customers' personal data. Specific violations included making unsolicited marketing calls to customers without their consent and insecurely sharing access rights and passwords among employees.

In another case, UniCredit faced a €2.8 million fine in Italy due to insufficient security measures. A data leak exposed the company's failure to restrict access to personal data adequately, leaving it accessible to unauthorised individuals.

Another major concern is the transparency in the use of data and the practices of obtaining consent from individuals. "Recent cases, such as the €13.9 million fine imposed on Avast Software, highlight the need for clear communication between the individual and the data processor. Avast, an antivirus software company, sold its customers' personal data to marketing companies for profit. When a company or institution asks for consent to process data, it must be compliant and clearly understandable," explained Paal.

Protecting employee privacy is crucial

The French supervisory authority fined Amazon France €32 million for violating employee privacy with its surveillance systems. Amazon monitored employees in its French warehouses using scanners and video cameras to assess productivity. The data protection authority determined that Amazon did not need the collected data for work planning and failed to properly inform employees about the video surveillance, causing undue stress.

Promptly reporting violations is also crucial. In Poland, Santander Bank Polska faced widespread criticism for not promptly informing affected individuals and authorities about a discovered violation. This oversight led to a significant fine of €326,000 for the bank.

Finnish online retailer Verkkokauppa.com was fined due to a lack of clear data retention policies. "The retention of personal data must be well thought out and justified, and unnecessary retention of personal data should certainly be avoided," emphasised Paal.

Based on the mistakes made this year, the data protection expert provided five recommendations for better compliance with GDPR requirements and avoiding fines:

  • Implement comprehensive data security protocols: Regularly update and test security systems and protocols to protect personal data from unauthorised access and breaches.
  • Ensure transparency and obtain valid consent: Conduct periodic audits to ensure that consent mechanisms comply with GDPR requirements and provide clear information.
  • Balance monitoring practices with privacy rights: Develop and implement monitoring systems that respect employee privacy and offer clear notifications about monitoring practices.
  • Create clear response plans for data breaches: A response plan for data breaches should include procedures for timely notification to authorities and affected individuals.
  • Define and follow data retention policies: Update the data processing registry and implement systems for deleting data according to defined retention policies, minimising the retention of unnecessary personal data.