What we can learn: €14.5 million Deutsche Wohnen fine
In November 2019 one of the German states data protection authorities (Berliner Beauftragte für Datenschutz und Informationsfreiheit - BlnBDI) issued a €14.5 million fine to Deutsche Wohnen, a German housing company, for a breach of data protection legislation.
We are still in the relatively early days of seeing how the regulatory bodies choose to exercise their enforcement powers under GDPR, and so it is interesting to evaluate the factors involved in published action to see if there are some practical principles that we can apply to operational compliance with data protection legislation.
KEY FACTORS APPEAR TO BE:
The headline offence is that Deutsche Wohnen had an archive of tenant data, including some special category data. It was stored in a way where data could not be deleted in line with retention policies.
In addition it appeared that the data did not follow the data minimisation principle so it was not clear if they needed to have stored this information at all, nor what the legal basis was for doing so.
Deutsche Wohnen had been made aware of this in an audit in June 2017. A recommendation had been made to destroy the data and implement an appropriate archive - actions that were not taken.
INITIAL OBSERVATIONS ARE:
€14.5 million is a significant fine given that this was not in relation to a specific security incident. The business turnover is in excess of €2bn and so the scale of the fine is quite possibly proportional to the maximum ’4% of turnover’ limit rather than the ‘€20m’ limit
The company had ignored direct advice from the advisory body from 24 months before.
There appears to be no material loss to the data subjects in this case - this is a fine for operationally not abiding by data protection legislation.
WHAT CAN WE LEARN?
Supervisory authorities are willing to issue fines for failings even where no ‘breach’ has occurred. In practice this is a new power introduced with GDPR - previously fines tended to be reactive following a breach punishing negligence where it was a factor.
It is no excuse that data was collected before GDPR. Although there was a degree of pragmatism about bringing legacy IT systems into full compliance by the May 2018 deadline, this fine suggests that the body considers that, 18 months later, these issues should now be resolved.
There is no exception for ‘archives’. It easy to concentrate on live operational systems and to give low priority to legacy systems, backups and archives, however this action makes clear that these records are definitely considered in scope.
ACTIONS TO TAKE:
This is only one example of enforcement action, and there will of course be other factors involved in the regulators decision to pursue this. However in response it would be wise to:
If, when completing your information asset audit you identified backups and archives that were legacy, now would seem an appropriate time to revisit the retirement plans for these. Review if whatever timescales you put on these actions still seem to be prudent in light of this action.
Double down on ensuring you have identified and documented your legal basis for personal information, even if that was collected before the GDPR introduction.
Review your data protection risk register, specifically looking at risks associated with administrative failures. Ask if the risk rating is still correct considering that regulatory bodies are willing to pursue failings even without a breach incident.
You can read the original press release about the fine here. Note that I am not a speaker of German and so I have relied on an automated translation of the press release to inform my view.
If you would like advice or support to achieve practical data protection compliance in your data processing environment then call me on 020 3393 1899 or email oliver@oliverwestmancott.com for a no obligation informal discussion.