Five Lessons Learned from Early GDPR Fines
Earlier this month, data protection authorities in Portugal doled out a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data. This is one of the first penalties we’ve seen issued under GDPR since its enactment earlier this year. There are several interesting elements of this particular case, one of which is the fact that fines were imposed even though no data breach event occurred.
In this instance, the hospital has been embroiled in an ongoing labor union dispute. As part of that legal battle, union whistleblowers brought attention to their knowledge that the hospital was allegedly providing doctor-level access to patient records to more than 985 employees, including outside providers or contractors, despite the fact that they only employed approximately 300 doctors. The alleged security violation was reported to multiple regulatory bodies in the country, and eventually data protection authorities, working within their power under GDPR, were involved.
To date, regulators have typically issued fines only in the event of a security breach or incident that was caused by negligence (such as losing unencrypted laptops) or malicious intent or unethical practices (such as data misuse). The case in Portugal indicates that corporations of all sizes, across the EU and in other jurisdictions, should expect a rise in regulator activity from a variety of catalysts, not just breaches. Fines are likely to increase in frequency and severity for poor data management, violation of the GDPR’s principles of integrity and data minimization and other data processing missteps that could result in a breach. With this in mind, below are five key lessons learned from these early GDPR penalties, which will help guide and inform better preparedness.
- GDPR may be used to influence ongoing legal matters: Data protection authorities now have much more power and oversight to investigate and correct issues relating to data privacy than ever before. Because of this, we’re likely to see an increase in whistleblowing activity that is aimed at using GDPR violation to influence other legal matters, such as employment litigation, union negotiations, etc. Any organization that is involved in an ongoing dispute may find that opposing parties now have more incentive to notify authorities of potential non-compliance or GDPR infringement, to damage the organization’s reputation or otherwise weaken its position.
- Regulators abound: The case in Portugal involved several regulatory bodies, all working together with the data protection authority to investigate the whistleblower’s claims and bring enforcement on multiple fronts. It’s very likely that this will happen in other actions as well, particularly in industries like healthcare, pharma and financial services where regulators are already extremely active. Expect to see increasing cooperation between multiple regulators, federal agencies and EU data protection authorities to investigate and enforce data privacy principles.
- Size does not matter: Authorities are not going to limit enforcement to large corporations alone. Small and mid-sized companies cannot expect to fly under the radar and must be equally prepared to face fines and other penalties that are proportionate to their businesses. An app developer in Germany experienced this first hand, when it was penalized by data protection authorities for failing to follow basic security practices for user passwords. Though the company self-reported when it became aware of the issue, was fully cooperative with regulators and did not experience a breach, it still incurred a substantial fine.
- Policies, procedures and other basic best practices are critical: Regulators will no longer have sympathy for failure to put the right processes in place. Organizations must take access management and other security controls that are now considered basic requirements seriously. Properly managed role-based access control is a straightforward and effective way to ensure that access to personal data is adequately limited, and that access by outside third parties and contractors is appropriately managed and monitored. Likewise, encryption and data masking are expected for high risk data such as user passwords.
- Fines may be the least of any worries: Fines are worrisome and can have a significant impact. But the teeth in GDPR can bite much harder than fines alone. Reputational damage resulting from publicized non-compliance is a major concern for many organizations, as is the authority regulators have to take corrective action against certain operations. The impact of brand damage or the inability to maintain the necessary international transfers of data out of the EU can last far longer than the hit of a single monetary penalty.
One important note is that in the matter in Portugal, the hospital concerned is appealing the fine. It will be interesting to see how the issue plays out, and how long it takes before this particular action brings an increase in other similar investigations and penalties in other jurisdictions across Europe. Corporations must keep a close eye on these matters and take proactive steps to get their data management and security in order. It is now clearer than ever before that the authorities may come calling, with or without the incidence of a data breach.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.