Pay attention to IT security to avoid GDPR fines

By Tobias Bräutigam, Susanna Jokela

12-2019

It has been over 1,5 years since the General Data Protection Regulation (GDPR) has become applicable. While there was little enforcement in the first months, this has changed: European Data Protection Authorities (DPAs) have started to impose fines for non-compliance with the GDPR much more actively. In our recent seminar we shared that IT security is clearly one of the main enforcement areas of the DPAs and therefore it is something that every organization should pay special attention to.

What are the main areas where DPAs issue fines?

Together with Exove, Bird & Bird hosted a client seminar on 26 November to explore GDPR fines. Exove is a software and digital design company with whom we have co-operated for years. The theme of the seminar, "How to tackle GDPR fines with IT security", attracted a lot of participants and raised excellent questions from the audience. DPAs issue fines mainly for lack of transparency, lack of legal basis or lack of IT security. In the seminar, we focussed on IT security. Senior Counsel Tobias Bräutigam presented the legal background and explained various fining guidelines issued by European DPAs. Fining guidelines include aspects that DPAs will take into account when determining the amount of the fine. This part was followed by a presentation on technical solutions for IT security issues by Exove's CTO Kalle Varisvirta. Both experts used concrete cases to explain the areas where lack of security could lead to fines in various sectors: banking, insurance, health and real estate.

Five points to remember

Below we have summed up some key takeaways of the seminar.

1. IT security is high up on the list of DPA's enforcement priorities and fines are disproportionally high.

2. Co-operation with DPAs can reduce the amount of the fine – Always notify the DPA in case you suspect a data breach!

3. Some European DPAs have been publishing fining guidelines – we recommend to study those.

4. Investigations of the DPAs are usually triggered after a data breach.

5. Fines have been imposed for example due to unlimited data storage times, not deleting old records after there is no legal basis for them, inadequate technical and organizational measures, insufficient access rights management as well as leakage of data for example via webpage or employees.

There are many technical and procedural solutions to prevent IT security issues and many of them are easy to adapt. As Tobias Bräutigam advised: Start small, but start! Bird & Bird offers for example scenario based trainings on data breaches, which can help to identify IT security weaknesses.

What to look for in Finland?

The Finnish DPA has not issued any GDPR fines – yet. The reason for this is that only since September 2019 all requirements for fining have been in place, when the Deputy Data Protection Ombudsmen, Anu Talus and Jari Råman, started their work in the three-member collegium required for the fining. The third member of the collegium is the Data Protection Ombudsman Reijo Aarnio. According to Aarnio, DPAs have a wide toolkit of other enforcement measures, such as warnings, orders or prohibitions. Stay tuned!

We want to thank all attendants of the seminar for active participation and are very happy to continue the discussion on this hot topic!