Two recent enforcement actions shed light on how regulators will enforce GDPR provisions going forward. In one case, the United Kingdom’s Information Commissioner’s Office fined a company GBP 275,000 for storing sensitive data in crates on its premises. The crates were not secured and violated the GDPR’s requirement for technical and organizational measures to prevent unauthorized access to personal data.
Steve Eckersley, Director of Investigations at the ICO, said, “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”[1]
A German regulator, the Federal Commissioner for Data Protection and Freedom of Information, issued one of the largest fines to date, EUR 9.5 million, for a similar offense. In this case, the Commissioner felt that the company had not put adequate technical and organizational measures in place after callers were able to obtain information simply by giving the name and date of birth of a customer. In addition to the fine, the company has agreed to introduce a new authentication process in consultation with the regulator to make it harder for people to access the personal data of others.[2]