Historically, data protection fines tended to be triggered by either cyber breaches or some process or system failure that led to personal data being exposed.
Two of the first fines imposed under the GDPR (General Data Protection Regulation) point to a different direction.
The €50 million (£43 million) Google fine was for a breach of specific requirements around how data subject consent is obtained.
One nightmare for boards is the possibility of an investigation and fine following a complaint by someone with animus. The complaint that led to this fine was made on 25 May 2018; investigation of major GDPR legal issues does take time! It’s also worth noting the CNIL statement, which indicates that, as the offence continues, there could be further enforcement action.
The €400,000 (£350,000) fine for the Portuguese hospital Centro Hospitalar Barreiro Montijo is an aggregation of fines for specific breaches of the law. Although the breach of Article 32(1)b (“The incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process of regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing,” as described by IAPP) was just one of the three breaches, the reality is that this breach lay at the heart of the other two.
Risk assessment, selection and implementation of appropriate controls, and ongoing testing and evaluation of their effectiveness are fundamental to any compliance regime, but there also needs to be evidence of this course of action!