Quite frankly, I think no one thought it would be in Portugal. And no one thought the first fines would be issued to a public hospital, already struggling to get the economy in balance to provide vital health care. But it happened.
Although a significant sum, it’s nothing compared to the maximum fines of up to 20 million euros or 4 percent of the total annual turnover.
In short, the fines are issued for three different breaches of GDPR, all connected to unauthorized access to sensitive personal data, and the lacks in internal routines and policies that lead up to the possible unlawful access to the data.
This really puts the question of access to personal data in the focal point, and we do want to repeat that GDPR does not per se limit the usage of personal data.
Instead, while following the general principles, you simply have to know where personal data is located, control the access to it, and document the legal grounds for processing it.
This is why we focus on unstructured data. 80-90% of all data in any organizations possession constitutes of this unstructured data; files and emails etc, that has been accumulated during many years.
In order to provide access on a “need to know” basis, one of the main principles in GDPR, it is crucial that the organization knows where the processed personal data is located. This can only be achieved by making a documented inventory of the existing data, and use that documentation for monitoring.
The Norwegian Data Protection Authority issued a warning to the municipality of Bergen that it may be facing a fine of 1.6 million NOK for violating the EU General Data Protection Regulation. A primary school in Bergen left the usernames and passwords for 35,000 students and employees exposed to other users.
In the case of Bergen, the personal data was in a file, that simply was saved in the wrong location.
Who else might have personal data in files saved in the wrong location?