First Fines Under GDPR
In May 2018, the EU’s General Data Protection Regulation (GDPR) was introduced, granting new rights to individuals concerning their privacy and protection of their personal data. The GDPR gives new powers to national data protection regulators.
By the end of 2018, regulators had enough time to investigate and issue the first set of fines. Here are some examples:
A social media company was hacked, with the stolen data revealing that it stored users’ passwords in plain text. The company cooperated proactively with the authorities, and received a fairly low fine of 20,000 EUR, primarily for storing unencrypted passwords.
A large telecom provider’s operations were penetrated: customers’ contracts and invoices were accessed through their web addresses being tweaked. User authentication was disabled for the testing phase and wasn’t reactivated when it went into production, resulting in a fine of 250,000 EUR .
A hospital received a 400,000 EUR fine for a series of user account administration violations, such as granting permissions too broadly, not deactivating former employees’ accounts, and granting permissions that should not be granted − approximately 1,000 profiles displayed ‘doctor’, but there were less than 300 real doctors.
Investigations on some pre-GDPR incidents ended up with fines, too:
- In December 2018, Facebook’s personal data protection practices were in the spotlight, with a fine of 10M EUR issued in Italy
- Uber received fines for its 2016 data breach, when an attacker used login credentials that were checked into their GIT source code version control system and managed to access an AWS S3 bucket with details of 32M drivers. For this breach Uber received fines of 385,000 GBP in the UK, 600,000 EUR in the Netherlands, followed by 400,000 EUR in France.
These two cases are considered low because the incidents happened before GDPR was enforced.
In January 2019, a large multinational company received a fine of 50M EUR fine in France for making it difficult for users to understand the personal data processing that they consented to.
These fines are yet another reminder about the importance of data protection practices, such as encryption, authentication, and authorization, but also distributing information on the ‘need to know’ basis, and obtaining consent from individuals whose data is processed.
SoftServe’s data protection team is actively helping clients to develop solutions that are compliant with GDPR and other data protection regulations.
The team is following SoftServe’s proprietary methodology for compliant software development lifecycle, to ensure that personal data protection is addressed at each stage of the software lifecycle, from project inception all the way to project retirement.
Interested in learning more about data privacy in the wake of GDPR? View our most recent case study, "Telecom Management Solutions Provider Achieves GDPR Compliance."