The EU General Data Protection Regulation (GDPR) reshaped the way data is handled across every sector, from healthcare to banking. Since enforcement began on 25 May 2018, businesses have already received fines or been subjected to enforcement actions. We look at three key cases and draw some key lessons from these cases.
Portugal
Accusations about the Centro Hospitalar Barreiro Montijo (CHBM) were raised in April 2018 when the Sindicato dos Médicos da Zona Sul (Medical Workers Union of the Southern Zone) reported that non-clinical staff were using ‘medical’ profiles to access CHBM’s computer system.
Fine: 400,000 EUR.
GDPR breach: After inspecting Centro Hospitalar Barreiro Montijo, the Portuguese DPA found that the hospital's account management practices were deficient. They found 985 users were registered on the system with ‘Physician’ permissions, but only 296 physicians were actually employed. One test profile was set up with the same unrestricted access as the ‘technical’ profile, and nine social workers had been given access to confidential patient information.
Finding: It was the hospital's responsibility to ensure that adequate security measures were implemented. It failed to respect patient confidentiality and limit access to patient data, as well as failing to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
Hospital's response: The hospital argued that it was not responsible for these deficiencies as they used the IT system provided to public hospitals by the Portuguese Health Ministry.
Germany (non Healthcare related)
In September 2018, social media company Knuddels.de were hacked. The company reported that details of round 808,000 user email addresses and passwords were stolen. As soon as the company became aware of the attack they notified the LfDI (the relevant DPA).
Fine: 20,000 EUR.
GDPR breach: LfDI found that Knuddels.de had stored user passwords in a plaintext file. LfDI stated that “By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security pursuant to Art. 32 para. 1 lit a DS-GVO when processing personal data.”
Finding: LfDI imposed a relatively low fine because Knuddels.de made every effort to inform the DPA and users as soon as they could. They also praised the company's “exemplary cooperation” with the authority and pointed out the significant improvement and investment in IT security following the hack and investigation.
Key message: Clearly, passwords should never be stored in plaintext. However, Knuddels.de responded in an exemplary fashion, thus benefiting from a much reduced fine.
France (non Healthcare related)
Following a complaint made in May 2018, the French DPA issued Google with an enormous fine for failing to provide sufficient information to users about its data consent policies and not giving enough control over how their data is used for targeted advertising.
Fine: 50 million EUR.
GDPR breach: Google failed to obtain clear consent for processing data because "essential information" was "disseminated across several documents". "The relevant information is accessible after several steps only, implying sometimes up to five or six actions, users are not able to fully understand the extent of the processing operations carried out by Google." Also, the consent box for personalising ads was pre-checked on the account creation page.
Finding: The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent. The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is 'specific' only if it is given distinctly for each purpose." The fine was levied because of a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation," coupled with the fact that the situation is still ongoing.
Google's response: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps."
Lessons we can learn:
1. GDPR affects every business operating in the EU
The GDPR affects foreign companies that do business in the EU. Firms that have employees or customers in EU are affected by the GDPR. The Google fine shows that EU data protection authorities take this law seriously.
According to an Ovum report, about two-thirds of US companies say that the GDPR made them rethink their strategy in Europe. Even more, 85%, see the GDPR putting them at a competitive disadvantage with European companies.
Recommendation:
Develop a compliance strategy which includes people, processes and technology.
2. Both the developers (Processors) and the clients (Controllers) are responsible for GDPR compliance
The case of the Portuguese hospital shows that legal responsibility lies with the institution that is collecting the data and their software suppliers.
The Centro Hospitalar Barreiro Montijo (CHBM) used the same software as all other hospitals in Portugal but was found guilty because of:
Incorrect documentation. The requests from the users to access patient profiles including clinical information were not documented.
Lack of technical rules defining access to sensitive data. There was no document defining the rules for creating users of the hospital's information system. This violated the GDPR principle of "need to know" and the principle of "minimisation of data". There were 985 users associated with the profile "doctor," but in the official hospital human resources charts, there are only 296 doctors in that hospital. Only 18 user accounts were inactive and the last one was deactivated in November 2016.
Recommendation: Personal data needs to be stored according to the GDPR, regardless of the technology used for storage and processing. Map your company’s data, determine what data you need to keep, put security measures in place, review your documentation and establish procedures for handling personal data.
3. Small businesses are not exempt from the law
Even though SMEs typically face smaller fines, we have already seen cases where small businesses have been fined by the authorities.
Under GDPR, the maximum potential fines are up to €20 million or 4% of the offender’s global annual turnover, whichever is greater. However, fines are used to set an example rather thank lead businesses to the bankruptcy. For example, a data controller with an annual income of 40,000 EUR is unlikely to receive a 20 million EUR fine.
Recommendation: However small your company, it's essential to make sure you comply with GDPR or risk both fines and reputational damage.
4. GDPR still leaves room for interpretation
GDPR is a minimum requirement for all EU states and leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives national Data Protection Authorities a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
Some countries are famous for their active involvement in fighting for privacy. Austria was the only EU member state to vote against GDPR for not being strict enough. So, it's not a big surprise that the first enforcement case came from this country as well.
Recommendation: Always keep up to date with the latest advice from the EU's Art. 29 WP and monitor how DPAs are enforcing GDPR.
For more information on the requirements of GDPR download our eBook on Health App Compliance.
5. Encrypt Passwords
Unencrypted storage of passwords poses unacceptable security risks. A fine imposed by the German DPA confirms that the encryption of stored passwords is a GDPR requirement.
Recommendation: only store passwords in an encrypted fashion. More specifically (for the technically inclined reader), we would recommend the use of salted hashes with a different salt for each password. Our CEO Jovan Stevovic has written about Pseudonymisation and Encryption of Health Sensitive Data.
Save time and effort by choosing Chino.io's Database as a Service. Our system uses record level encryption with AES-256 and HTTPS/TLS for transmission. Secure indexing and tokenisation for search operations. Encryption keys (for each user) are managed according to HSM standards.
For more information download our eBook on Health App Compliance.
6. Cooperation and transparency pays off
In the case of the Knuddels.de chat platform, the German DPA acknowledged “very good cooperation” and “exemplary transparency” on the platform’s part.
"Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack" said Stefan Brink, the data protection officer who was involved in the case.
Knuddels.de reacted quickly and enhanced security measures in conjunction with the authority. Voluntary reporting and cooperation with the DPA resulted in a fine of just (20,000 EUR). GDPR envisages maximum potential fines up to €20 million (£17.6 million) or 4% of the offender’s global annual turnover, whichever is greater. Knuddels.de behaved in an exemplary fashion, reporting the hacking attack and the leak as quickly as possible and being completely transparent. By contrast, Google were uncooperative and received a far bigger fine (though still well below the maximum potential penalty).
When calculating a penalty, DPAs consider the number of the people impacted, the nature of the infringement, any mitigation actions, preventative measures, cooperation with the supervisory authority, transgression record and timely notification of the DPA.
Recommendation: You may be tempted to cover up data breaches or not to cooperate fully with the DPA. However, comparing the scale of the Knuddels.de and Google fines shows that this strategy won't pay off.
7. Public opinion on data privacy is changing
Public concern over privacy is significant and grows with every new high-profile data breach. The RSA Data Privacy & Security Report, looks at public opinion in France, Germany, Italy, the UK, and the US. Three key insights are:
- The top concern for 80% of consumers is to lose their financial data.
- Lost security information (passwords) and identity information (passports or driving license) concern 76%.
- Consumers' data collection behaviour is changing. 41% of respondents admitted to intentionally falsifying personal information and data when signing up for products and services online.
The report shows that awareness about cybersecurity and data protection is growing and consumers are more careful in providing their data to the companies.
How can Chino.io help?
Even though personal data do not require high-security measures like encryption, they may still be confidential or important to your business. With Chino.io you can easily store them in a safe place and ensure security, confidentiality, and compliance.