Just prior to the 25th of May 2018, the hype was all around the General Data Protection Regulation (“GDPR”), even though not many fully understood its implications. Considering the hefty fines that were introduced through the Regulation, everyone felt pressured to implement new policies and procedures in order to become compliant with the rules set out in the GDPR.
Since then, we have seen that Supervisory Authorities have already started issuing fines against businesses that are not harmonised with the Regulation. One case in point, was the fine issued by the French Supervisory Authority against Google which amounted to €50,000,000 for violating the GDPR rules in two ways; that is, providing information to users in a non-transparent way and not obtaining, in a correct manner, the user’s consent for data processing and advertisement-personalisation purposes.
This is not only seen overseas, but also at a local level, whereby the Maltese Supervisory Authority; Information and Data Protection Commissioner (“IDPC”), after a thorough investigation, enforced a fine against the Lands Authority for a data protection breach. The fine imposed was of €5,000 subsequent to a breach committed in November.
The Data Protection Commissioner indicated that it was The Times of Malta that reported the breach of data protection which was detected on the Lands Authority website. Indeed, Times of Malta reported that a considerate amount of personal data was found online, easily accessible through a search on Google. They reported that identity card details, as well as affidavits, were available on the internet due to the lack of security found on the Authority’s website. The Commissioner went on to say that “the findings of the investigation established that the online application platform available on the authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.”
It is worth noting that non-compliance with the GDPR gives rise to significant penalties. For a minor breach, a company can be sanctioned up to €10,000,000 or 2% of the annual global turnover, whilst for a major breach it can be sanctioned up to €20,000,000 or 4% of the annual global turnover; whichever is higher. Thus, data protection should be taken seriously as a data breach would not only provide a hefty fine, but would also damage a business’s reputation and brand.