The first French GDPR fine has been brought against a real estate company, costing the company €400,000.
The fine relates to user data which was available on the website by simply modifying the URL slightly, giving anyone access to rental applicant’s documents including IDs, tax returns, bank account details, and more.
After receiving the complaint in August 2018, the CNIL discovered that the company had been aware of the issue since March but didn’t resolve it until September – and, crucially, had not reported it.
As reported by JDSUPRA:
The CNIL identified two violations of the GDPR:
- The company failed to fulfil its obligation to preserve the security of the personal data of its website users, in breach of Article 32 of the GDPRThe company had not put in place a procedure to authenticate users of its website to ensure that the persons accessing the documents were the ones who had uploaded them, a basic measure. This failure was aggravated, on the one hand, by the nature of the data made available and, on the other hand, by the company’s particular lack of diligence in correcting it: the security issue was only resolved six months later and no emergency measures were taken to limit the impact of the issue in the meantime.
- The company kept the documents uploaded by candidates for an unlimited period of time. The documents uploaded by candidates who were not selected for the accommodations they had applied for were kept for a duration that was longer than necessary for the purpose of the processing. The CNIL noted that once the purpose for processing is achieved (e.g., managing the candidacies), the data must be deleted – or at least archived if it needs to be kept for compliance with legal obligations or for dispute management purposes in compliance.
Read the full article here: https://www.jdsupra.com/legalnews/france-s-first-gdpr-fine-costs-real-86375/
The key lessons to learn from this first French GDPR fine are: firstly, to always be aware of all the data you hold on users, and delete it when it is no longer needed. Secondly, the need to report potential data breaches to the relevant body, and to implement emergency measures when a data protection issue is detected.
If you’re concerned about the data your own company holds, our Gap Analysis service involves identifying where all the data is to allow you to take measures to protect it. Get in contact with us today!
Transgender charity Mermaids UK has suffered a data breach that has left children and young people at risk, after thousands of emails were accidentally made available online.
The Times first reported the breach, noting that the emails could be found just by typing in Mermaids UK’s name and charity number. The emails dated back to 2016-2017.
On a positive note, the charity seems to have taken emergency action to limit the damage and to immediately report the breach, as reported by the BBC:
Mermaids UK stated it had notified the Information Commissioner’s Office, the data protection watchdog, and contacted those affected.
The Charity Commission had also been notified, it said, and an independent investigation into the breach would be launched.
“We’re going to be employing a third party to oversee processes and advise on how we can improve internal practice,” the spokesperson told the BBC.
“I think it’s important to note that this dates back some two years when Mermaids was a smaller charity dealing with the first aggressive onslaught from those who are opposed to giving vulnerable transgender children and young people the safe spaces they need.”
Read the full article here: https://www.bbc.co.uk/news/uk-48652970
It remains to be seen what the penalties will be for this Mermaids UK data breach. That the charity has taken swift, positive action will certainly count in its favour, and the ICO may take into account its charitable intentions.
However, that vulnerable people – in this case, transgender children – were put at risk, might cancel this out and lead to a hefty fine.
If you’re not certain how to respond to a data breach, a GDPR consultant can help. Click here to get in touch with us today and ensure that you’re compliant with the latest data protection laws!
A new report has found that the majority of the UK’s most popular websites are failing to comply with GDPR.
The study from ImmuniWeb found that 86 of the top 100 sites visited in the UK did not meet their obligations, with all of them handling user data via insecure cookies.
As IT Pro reports:
The stats reveal that sites operating across the rest of Europe are more likely to be compliant with GDPR. A study of popular sites in France found 83 of its top 100 were non-compliant, while in Germany this fell to 50. The reasons for this are noticeably different, however, as sites in France and Germany are far more likely (50% and 40% respectively) to have missing or hard to reach privacy policies.
“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “However, there is a long road before the majority of organisations value actual security above paper-based compliance thereby providing their users with the privacy and security they truly deserve.
You can read the full article from IT Pro here: https://www.itpro.co.uk/policy-legislation/33726/most-of-the-uks-top-websites-fail-gdpr-claims-immuniweb
With GDPR now over a year old, these are worrying statistics. Compliance should have been met before it even came into force; failing to comply with GDPR now is inexcusable.
That the UK is lagging behind other countries (although only just behind some of them) would seem to indicate that GDPR is less of a concern for British organisations than it is for the rest of the EU.
Yet even with uncertainties over Brexit, GDPR will remain as the framework for Britain’s data protection laws. Failing to comply with GDPR is unacceptable no matter what happens when the UK leaves the EU.
If you’re yet to ensure GDPR compliance at your organisation, Activa Consulting is here to help. Our Gap Analysis service will identify the potential risks to your business and recommend what changes you need to make. Click here to contact us now!
France’s data regulator, CNIL, has fined Google £44 million (50 million euros) for a lack of transparency over collecting data to personalise ads for users. This is a record fine resulting from complaints brought by two privacy rights groups, noyb and La Quadrature du Net. So what else do we know about this Google GDPR fine?
- The official reason given by CNIL for the fine was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In short, people were “not sufficiently informed” about how their data was being collected.
- The key thing here is that Google was not obtaining clear consent for the gathering of this data. “The relevant information is accessible after several steps only,” stated CNIL. “Users are not able to fully understand the extent of the processing operations carried out by Google.”
- In addition to this, Google did not have a valid legal basis for gathering this data. In effect, not only was the process by which they were collecting users data insufficiently clear, they were also unjustified in doing so.
- The first complaint was filed as soon as GDPR came into effect on 25 May 2018. Google’s preparations for the new data protection laws were clearly insufficient as they were found to be in breach of them.
- Google is now considering its next steps after the decision from CNIL. However, it’s likely that any actions taken now will be too late – measures should have been taken before GDPR came into effect, not after.
This Google GDPR fine ought to be a big wake-up call to corporations that handle user data. As we’re reported, Facebook has suffered numerous data breaches both before and after GDPR was brought into force; what penalties it might suffer have yet to be seen.
For more information on the Google GDPR fine and its ramifications, see the full story by clicking here.
If you’d like to ensure that your business or organisation is GDPR compliant, contact Activa Consulting today. Our GDPR Gap Analysis will help you to prevent data breaches, and therefore avoid costly fines and penalties.
Performing a Gap Analysis is a vital step in implementating GDPR in a large organisation. It can only be done once we know where the data is, who has it, and how secure it is.
This is the “Data Mapping” we often talk about – identifying what information is stored where and how it’s processed and transferred and secured. For a small company with few customers, this won’t take too long. But, large organisations will naturally take longer due to their larger numbers of data for both employees and customers, and this is without taking into consideration any further branches of the organisation.
What a Gap Analysis tells us is how well exactly an organisation complies with GDPR, and as its name suggests, shows the gaps in the organisation that does not follow the regulations. These gaps then become key for the organisation to fix.
“The writing of Privacy Notices is also an important part of the implementation process. It can also be a lot of work. If you’re dealing across multiple countries, patients, applications, the amount of work increases.”
Sometimes there can be a simple, logical solution, but some problems uncovered by a Gap Analysis will take more time and effort to fix. Furthermore, once again, the nature of a large organisation will likely mean that finding and implementing solutions will take longer and more resources.
A Gap Analysis is definitely best done by a GDPR Specialist or Consultant (contact us for a quote) as there is less chance they will miss something during the data mapping and analysis itself. It is vital that this is done right before the new regulations come in in May 2018, especially considering the fines and penalties that could come from a lack of compliance.
The writing of Privacy Notices is also an important part of the implementation process. It can also be a lot of work. If you’re dealing across multiple countries, patients, applications, the amount of work increases. The workload significantly increases if you’re a multi-national filling out multiple applications, for example. You’ll need versions in every language that you trade in that adapt to any other relevant local laws. And this equates to a lot of legal and lawyer work.
A Privacy Notice is an important tool for organisations to relay and communicate with their customers what their Data Subject Access Requests (DSARs) are. Though, this is the easy part of DSARs… which we will discuss in the next article.
Catch up on the previous article: How to Implement GDPR in a Large Organisation