For this week’s column, we look at four of ESOMAR’s data protection recommendations as part of the #BeDataSmart campaign by looking at four recent enforcements of the GDPR. A comprehensive understanding of the GDPR, and the appropriate, necessary measures to take to protect data subjects as well as your business partners’ data, can make the difference in avoiding a significant fine, which will not only affect your business financially but also in terms of the global brand reputation as well.
Germany: Police officer
The facts: A police officer was recently fined 1,400€ for using data collected and used in a professional setting for his own, private use. Using the license plate number of an acquaintance, he was able to retrace their phone number and contact them without any official reasons, or consent from that party.
The law: Personal data shall be collected for specific, explicit and legitimate purposes. It is not allowed to further process these data for another purpose that is incompatible, the principle of purpose limitation.
The lesson: Personal data that has been collected should only be used for the purpose for which it has been collected, and never for personal reasons or gain, e.g. conserving a copy of a clients’ database, and thus personal data, after transferring to a new firm.
Lithuania: MisterTango
The facts: MisterTango, a Lithuanian payment service, did not take the necessary technical and organizational measures to protect its clients’ data, only employing one person to maintain their IT infrastructure. This resulted in consumers’ payments and payment details being exposed publicly online for 2 days. The investigation also concluded that the company collected more data than it needed and stored it for too long. Following this breach, the controller did not report the data breach. MisterTango was given a fine of €61,500 for its violation of articles 5, 32 and 33.
The law: Article 5 requires that the data collected is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Under article 32, “appropriate technical and organizational measures [should be taken] to ensure a level of security appropriate to the risk”. Finally, Article 33 requires that any data breach be reported in a timeframe of, where feasible, less than 72 hours.
The lesson: This highlights the importance of collecting only the data that is needed for your research and storing it only for as long as necessary. Not only is it simply required by the GDPR, but in case of a data breach, it can contribute to limiting the damages. Finally, if a data breach does occur, do report it diligently to the competent supervisory authority.
UK: British Airways
The facts: The recent events involving British Airways showed us once again investing in an adequate security system is vital in data protection. Indeed, the UK’s Information Commissioner’s Office just announced its intention to fine British Airways £183.4 for a data breach dating from August, or, in other words, 1.5% of the company’s worldwide revenue for 2017. It is said that 500,000 customers’ details were hacked, including payment cards and travel booking details.
The law: Depending on the type of non-compliance, under article 83 of the GDPR a firm can be fined up to €20 million or 4% of its annual worldwide revenues of the prior financial year. Whichever is higher shall be the one issued to the firm accused of non-compliance.
The lesson: A proper security system to protect your clients’ and/or panelists’ data, although an investment, can ultimately make the difference in preventing a major data breach which could result in major fines for your firm.
UK: Marriott International
The facts: 339 million guests’ records, including 5 million unencrypted passport numbers and 8 million credit card records were exposed after Starwood’s database (which Marriott acquired in 2016) was hacked. Starwood’s systems started to be compromised in 2014, but this was not discovered until this year, after the Marriott’s acquisition of the company. The subsequent investigation concluded that Marriott should have done more to secure its systems, and had not taken sufficient due diligence following its acquisition of Starwood. The ICO has announced its intention to charge Marriott a £99 million fine, equivalent to 3% of its worldwide turnover for last year.
The law: The Information Commissioner stated that “Under the GDPR, organizations must be accountable for the personal information they hold [including] carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected”, all of which falls under Article 32 of the GDPR.
The lesson: As an organization, you’re accountable for the data you have acquired. Not knowing the source of your data or how it is protected is not an acceptable get-out-of-jail card. If you find out that you have acquired data that is not appropriately protected, report immediately any breach to the relevant authorities and be diligent in correcting the matter.