GDPR threatens huge fines if you don’t comply. However, we often meet companies who think they will never face penalties. This is partly because some countries delayed enforcing GDPR. But as we explain, even smaller countries like Denmark are now applying penalties.
The GDPR has transformed data protection across the EEA and is acting as a model for many other countries. GDPR takes a pragmatic to data protection. Rather than mandate what companies must do, it says they must take “appropriate” measures to protect personal data. This means that a small company need not spend as much money on this as a multinational. However, GDPR allows data protection authorities (DPAs) to impose huge fines if a company breaches the requirements. In some cases, these fines can run to hundreds of millions. In this blog, we look at two GDPR cases in Denmark that highlight some important lessons.
Fundamentally, the aim of GDPR is to improve data protection across Europe. So, fines are seen as something of a last resort. Many DPAs have, officially or unofficially, allowed companies a grace period before starting to enforce GDPR. And enforcement action can take many forms before fines are applied. This approach has made some companies complacent about GDPR. However, these grace periods are coming to an end.
GDPR fines in Denmark
Two recent cases in Denmark highlight why complacency is a bad approach where data protection is concerned.
Processing personal data
During autumn 2018, the Danish DPA (Datatilsynet) made a proactive audit visit to IDesign, a large furniture retailer. During the visit, they discovered that IDesign were still using an old, insecure system in 3 of their stores. This system holds the personal data of 385,000 customers. The DPA found that IDesign had no plan for deleting this data once it was no longer needed. As a result, they were in breach of the Data Minimisation Principle. The DPA recommended a fine totalling 1.5MDKK (€200k). N.B. in Danish Law, GDPR fines have to be imposed by a court, but the expectation is that the court will follow the advice of the DPA.
Deleting personal data
In the second case, Datalisynet made a supervisory visit to Taxa 4x35, a taxi company based in Copenhagen. During the visit they asked for details of how personal data was deleted once it was no longer needed. In other words, how did Taxa 4x35 implement the Data Minimisation Principle. It turned out that all the company did was to delete the customer names, but retain the logs of the journey. This was found to be inadequate, since the logs still included mobile phone numbers. This issue affected almost 9 million taxi records. As a result, the DPA recommended that Taxa 4x35 be fined 1.2MDKK (€160k) and referred them to the police.
What these decisions mean for you
There are three key lessons that these cases highlight.
- Inspections can and do happen. DPAs can and do make random audit and supervisory visits to check if companies are complying with GDPR. Prior to the audit visit, IDesign had completed a questionnaire about their systems, but despite this, still failed to be compliant.
- Understand what data you are retaining. Taxa 4x35 had failed to assess what data they were still retaining after deleting a customer’s name. The problem was caused because they were using personal data (the phone number) as the key for their database. Thus, the taxi trip records still contained personal data. This highlights the importance of the technical design of your data processing systems.
How Chino.io can help
Here at Chino.io, we are experts in data protection and GDPR for eHealth companies. We can give you advice on both the technical and organisational measures that you need to implement. Get in touch if you want to arrange a free assessment of your current status. You can also find more information on this topic in our GDPR eBook.