The EU GDPR regulation is picking pace and will soon gain momentum. It seems that the authorities which were warming up and and had started issuing notices under GDPR for numerous organization for breach or misuse of personal data.
The fines are already been imposed as we read this.
Its time you start your GDPR readiness initiative and implement all required measures and controls as soon as possible.
Few of our clients have already taken our help (consultancy services) to be ready for GDPR readiness / compliance.
Some of the actions taken by authorities for violation notice of Europe’s new data privacy laws (Including EU GDPR)
1. Social/Chat site Knuddels.de fined €20,000 for a breach that exposed the personal information of 330,000 users, including their passwords and e-mail addresses
Knuddels.de, a German social/chat site was fined €20,000 by the regional Baden-Württemberg data protection watchdog (LfDI Baden-Württemberg) because of a breach that exposed the personal information of 330,000 users, including their passwords and e-mail addresses.
The probe conducted showed that the site stored the passwords in plain text, for which it ultimately earned itself the fine.
The fine was limited for what the data protection authority acknowledged what it called “very good cooperation” and “exemplary transparency” on the platform’s part, as well as a range of enhanced security measures that the site has put in place since the incident occurred and that continue to be implemented in conjunction with the authority. The watchdog also considered “the overall financial burden on the company” and other factors – appears to have helped to ultimately keep the penalty in relatively low figures.
2. AggregateIQ issued with GDPR notice
The Cannadian firm AggregateIQ an organization linked to the Facebook-Cambridge Analytica scandal was issued with GDPR noticeby Blighty’s Information Commissioner (ICO). The company however denies any wrongdoing, and has challenged the notice.
The notice alleges violation of Articles 5, 6 and 14 of the GDPR rules because it “processed personal data in a way that the data subjects were not aware of, for purposes that they would not have expected, and without a lawful basis for that processing.” It also notes that the processing was done in contrary to the purposes by which the data was originally collected and had not sought peoples consent nor did it inform them that they received the data from third party (Facebook)
With this the company might find itself fined for the higher GDPR fine level of up to €20m or four per cent of a company’s annual turnover, whichever is higher if the violations are proved.
3. British Airways (because of a hack that compromised credit card data)
British Airways, from what seems to be a classic data breach scenario, a computer hack which lasted for more than two weeks, compromised credit card data from some 380,000 customers who had made reservations from their website or mobile app. The incident was reported by British Airways to EU’s Information commissioner.
The authorities will now be looking into whether adequate precaution and preventive measures were taken to avoid such situation. If the authorities find that British Airways failed to have taken preventive measures, though the fine might be imposed (again up to €20m or four per cent of a company’s annual turnover), some people estimate(/predict) the fine amount to be up to £488 million in penalties under GDPR.
4. Facebook fined, might face another fine too
Facebook was fined £500,000 by the ICO when it allowed third party developers access to user information without sufficient consent (Cambridge Analytica scandal). Now it might be facing another fine, the Irish Data Protection Commission (DPC) has started an investigation under Section 110 of the Data Protection Act 2018 into the Facebook data breach which an attack on its computer network had exposed the personal information of nearly 50 million users.
The Irish DPC also confirmed it was alerted to the data breach — reportedly within the 72-hour breach notification limit as mandated by the EU General Data Protection Regulation.
How could we help?
Stratops Solutions GDPR consulting services helps you by providing the right guidance and implementation services in your organization becoming GDPR complaint. Our approach and GDPR implementation ensures that you will be ready to face GDPR related risks and show to the authorities that you have not left any stone unturned in ensuring and proving the controls taken are indeed inline with expectations of GDPR.
Talk to us and avail our consultancy and compliance services for your GDPR requirements.