REGULATOR ENFORCEMENT ACTION
With at least 100 GDPR enforcement actions reported this past quarter, having penalties ranging from 1000 euros to 8,000,000 euros, it is clear that EU and UK regulators take GDPR compliance seriously.
Here are just a few examples of recent activities that have led to regulator action and fines.
- In the UK, carrying out direct marketing activities without consent has been behind most fines and notices issued by the ICO this quarter. Small and large organisations alike have been penalised. In all cases the volumes of email/SMS/telephone marketing activities have been high, but a tiny portion of complaints (much less than 1%) has been enough to trigger enforcement.
- Failing to meet 72hr deadline for reporting a data breach resulted in a 475,000 euro fine for Booking.com from the Dutch regulator. A reminder that it is critical to have an effective process in place to respond to any data breach and training staff to recognise and report any suspected breach immediately.
- A mistake of emailing documents containing personal data to the wrong client led to a 3,000 euro fine being issued to a financial consulting firm. The Spanish regulator’s concerns included not having adequate security measures in place to protect personal data – for example, measures such as pseudonymisation or encryption to help protect confidentiality.
Tips: Avoiding regulator complaints
- Ensure your marketing team are well versed on obligations under both GDPR and PECR (e.g. for email marketing).
- Assess the measures you have in place to prevent sending confidential candidate data to the wrong recipient, e.g. using encryptions, pseudonymisation or related staff training?
- Carry out refresher training for all your staff on how to avoid data breaches, to help reduce the risk of fines or reputational damage for your business.
- Check all staff are well trained in identifying, escalating and responding to data breaches quickly, so you meet the GDPR’s 72hr deadline.
How can we help?
- Data breach is one of the key aspects of GDPR included in our employee online GDPR training.
- Our short cyber security awareness online training helps employees reduce risks of cyber attacks from hackers, online criminals or other malicious attacks. Including the higher risk areas where working from home.
- Register your interest in our GDPR for marketing refresher to help your marketing activities comply with GDPR and PECR.