Presentation of reseach of GDPR enforcement practice, based on information of 86 cases, vailaible publicly. The event, where the research was presented, has taken place in Kyiv, Ukraine on October, 10, 2019.
2. Acknowlegements
The author of this analysis, Anastasiia Konoplova, wish to thank
Irina Ivchenko, Kostyantyn Kulikov, Oleksii Mervinskiy for
contribution, subject matter discussion and support;
Oleksii Baranovskiy and CyberDn0 team for help with
organization of this event;
attendees of ISACA Kyiv chapter events for their questions and
inspiration.
2
3. GDPR – Where we are now?
http://www.eugdpr.org/the-regulation.html
Initial proposal
25.01.2012
Approved by
EP
27.04.2016
Full force
24.05.2016
Transition
period ended
25.05.2018
95180 complaints to
DPA
41502 data breach
notifications
255 investigations
3 fines, incl. Google,
€50 Mio
Data compromise in
top business risks
Jan 2019
Global
enforcement
Local
legislation
First finalized
investigations
Court
proceedings
No simple
recipes
Oct 2019
Rising
complexity
Rising
uncertainty
Future
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
Taken decisions
Hired/assigned DPO
Created/updated policies
Data mapping & risk assessment
Updated process design
Implemented information systems
Audits
Awareness programs
etc
Who will be the
next?
Are we ready?
3
4. Enforcement: Data challenges
Lack of trusted sources
Welter of information in media
Privacy enforcement more than GDPR enforcement
Different national legislations – and languages
Heterogeneous data, case-by-case approach
4
7. List of decisions of Hellenic DPA, Greece
Yearly report 2018 of UOOU, Czech Republic
Yearly report 2018 of Garante, Italy
Examples of sources for
validation
7
8. Data set
86 cases, 5 under
court proceedings
• 83 fines
• 3 other sanctions
Total fines
€ 372 911 936
• 98,7458% - TOP5
• Median € 10 000
Among sanctions:
reprimand,
warnings, service
ban
Fine in data set can
consist of GDPR
fine, local law fine,
procedural costs
Figures should be
understood as
illustrative
8
11. Among victims
Sensitive data
• Banking&finance
• Medical
• Public sector,
agencies,
municipalities
• Employers of any
sector
Large amount
• Media
• Tech&platforms
• Telecom
• Infrastructure
operators
Trade&B2C
services: cafe,
taxi, stores
Private
persons
11
12. Most expensive infringements*
*except of top-5
Please, note: classification of
infringements is tentative; several
articles are violated in most of cases
12
13. Top-5 of fines, facts
British Airways
€ 204 600 000, not
final
UNITED KINGDOM
08-07-19, since
09/2018
Art. 32 GDPR
Marriott
International,
Inc
€ 110 390 200, not
final
UNITED KINGDOM
09-07-19, since
11/2018
Art. 32 GDPR
Google Inc.
€ 50 000 000
FRANCE
21-01-19, since
05/2018
Art. 13 GDPR, Art.
14 GDPR, Art. 6
GDPR, Art. 4 nr. 11
GDPR, Art. 5 GDPR
National
Revenue
Agency
€ 2 600 000
BULGARIA
28-08-19
Art. 32 GDPR
Morele.net
€ 644 780
POLAND
10-09-19, since
11/2018
Art. 32 GDPR
13
14. Top-5 of fines, stories
British Airways
• XSS, 500 000
customers were
compromised
Incident possibly
started in June
2018, was notified
in September 2018
• link
Marriott International,
Inc
• Data breach,
notified to the ICO
in November 2018.
339 million guest
records globally
were exposed by
the incident. It is
believed the
vulnerability began
when the systems
of the Starwood
hotels group were
compromised in
2014. Marriott
subsequently
acquired Starwood
in 2016, but the
exposure of
customer
information was not
discovered until
2018.
link
Google Inc.
• The complaints
concerned the
creation of a
Google account
during the
configuration of a
mobile phone using
the Android
operating system.
The obtained
consents had not
been given
"specific" and not
"unambigous"
• link
National Revenue
Agency
• Data of 6 074 140
persons were
publicly available,
including contact
data along with
financial
declarations and
income data
• link
Morele.net
• Operations of 11
internet store
• 2 incidents, data
breach and few
services
compromised,
notified in 11/2018,
12/2018
• data of 2 200 000
customers were
possibly imposed
• Some clients
received SMS
informing them that
an additional fee of
PLN 1 was required
to complete the
order. The message
contained a link to a
fake DotPay
electronic payment
gateway.
• link
14
15. Illustrative cases
Data processor in
Poland
219 538 Euro processed data from public sources for commercial
purpose without consent and proper information
School in
Skellefteå, Sweden
18 630 Euro
consent, obtained from students was not a valid
legal basis given the clear imbalance between the
data subject and the controller
Telecom in Bulgaria 27 100 Euro repeated registration of prepaid services without
the knowledge and consent of the data subject
Merchant in
Belgium
10 000 Euro wanted to use eID to create a customer card
Private person in
Germany
2 000 Euro sent several e-mails with open mailing list (CC, not
BCC).
15
16. Illustrative cases - 1
Data processor in Poland
• the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000
people who were informed about the processing by the company, more than 12,000 objected to the processing
of their data.
• company processed the data subjects’ data obtained from publicly available sources, inter alia from the Central
Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The
authority verified incompliance with the information obligation in relation to natural persons conducting business
activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as
entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by
providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-
mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the
information obligation – as it explained in the course of the proceedings – due to high operational costs.
Therefore, it presented the information clause only on its website.
• In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having
the contact data to particular persons, the controller should have fulfilled the information obligation in relation to
them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the
period of the planned data processing, as well as the data subjects’ rights under the GDPR.
.
https://uodo.gov.pl/en/553/1009
16
17. Illustrative cases - 2
School in Skellefteå, Sweden
• A school in northern Sweden has conducted a pilot using facial recognition to
keep track of students’ attendance in school.
• The test run was conducted in one school class for a limited period of time.
• The school has processed sensitive biometric data unlawfully and failed to do
an adequate impact assessment including seeking prior consultation with the
Swedish DPA.
• The school has based the processing on consent but the Swedish DPA
considers that consent was not a valid legal basis given the clear imbalance
between the data subject and the controller.
.
https://www.datainspektionen.se/nyheter/sanktionsavgift-for-ansiktsigenkanning-i-skola/
17
18. Illustrative cases - 3
Telecom in Bulgaria
• Employees of the telecommunications provider have used
personal data and registered the complainant with the company's
prepaid service. The data subject had not signed the application
and had not consented to the processing of his personal data for
the stated purpose. There was also no other legal basis
applicable. The signature of the application and the complainant
own genuine application were not identical and the persons
personal identification number was indicated, but the identity card
number was not the complainants one.
.
https://www.cpdp.bg/?p=element_view&aid=2180
18
19. Illustrative cases - 4
Merchant in Belgium
• merchant wanted to use an electronic identity
card (eID) to create a customer card. The DPA's
investigation revealed that the merchant required
access to personal data located on the eID,
including the photo and barcode which is linked
to the data subject's identification number.
.
https://www.sudinfo.be/id141981/article/2019-09-19/un-commercant-recu-une-amende-de-10000-euros-pour-avoir-voulu-creer-une-carte-de
19
20. Illustrative cases - 5
Private person in Germany
• a private person who sent several e-mails between July and
September 2018, in which he used personal e-mail
addresses visible to all recipients, from which each recipient
could read countless other recipients. The man was
accused of ten offences between mid-July and the end of
July 2018. According to the authority's letter, between 131
and 153 personal mail addresses were identifiable in his
mailing list.
.
https://www.mz-web.de/merseburg/hunderte-adressen-im-verteiler-merseburger-muss-fuer-wut-mails-ueber-2-000-euro-zahlen-32033308
20
21. Insights from this analysis
If you have >1 000 000
customers, security
breaches are expensive
– and unavoidable
Privacy mindset, or
Principles first
Jurisdiction is REALLY
important
Think first BEFORE direct marketing
Think first before implementation of video surveillance, using of biometrics,
properly control blockchain and AI
21
22. Way to GDPR compliance
simple to say, hard to do
22
25. Privacy Mindset
Privacy is MORE important than your profit
Profit<Privacy<Common Wealth<National Security<Law<Human Life
2.2 9.2 11 13.4 14.5 17.3 20.3 22.2 23 27.2 30.5 …
GDPR, exemptions
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
25
26. Controller & Processor obligations
Data protection by
design and by default
Representatives of
controllers or
processors not
established in the
Union
Records of
processing
activities
Cooperation with
the supervisory
authority
Security of
processing
Notification of a
personal data breach
to the supervisory
authority
Communication of a
personal data
breach to the data
subject
Data protection
impact assessment
Designation of the
data protection officer
Codes of conduct
Articles 25-39
26
*Fines for violations of selected obligations were found in data set
27. Are we compliant?
Once implemented, does our compliance plan reflect privacy mindset?
Is this mindset properly articulated in the Code of Conduct?
Are adopted policies consistent and clear?
How can we confirm compliance with these policies?
How these policies are reflected in every day decisions of every employee?
…Is our culture lawful, fair and transparent?
Maturity
level
27
29. 29
Privacy by Design @ Software Development
• Privacy by Design is a combination of
- Privacy Assessment, SDLC for a software development stream
- Privacy Assessment, PMM for a project management stream
Secure
Development
Life Cycle
(SDLC)
Software
Development
Project
Management
Privacy
Assessment
Privacy
by
Design
Project
Management
Methodology
(PMM)