When you think of GDPR fines, you probably think of companies like Google (€50 million in January of 2019), Facebook (£500,000 in October of 2018) and Equifax (£500,000 in September of 2018 ). And you probably think “well, yeah, of course the supervising authorities (SAs) are all up in the grills of the big guys.”
And you’d be right. It’s in everyone’s best interest that the large data collectors are held accountable for their actions.
But the SAs have been instructed not to stop at the top. In these, the early days of correcting irresponsible behaviour, scrutiny levels are turned way up, and directed equally towards global firms and individuals.
You generally don’t hear about the latter; and that’s a problem because these little fines (which aren’t so little) will give you insights into employee behaviours you should be scrutinizing yourself.
You had a busy day at the office and you have to finish your day at home after the kids go to bed. So you send a few emails from your work account to your personal account. No big deal, right? That’s what Jayana Morgan-Davis, a former administration assistant at a used car dealership, thought. But when the SAs did their audit and saw this, they prosecuted her for unlawfully obtaining the personal data of customers and fined her more than £800.
You recommended a friend for a job at your company and you know the competition is fierce. So to give your buddy a bit of an edge, you show her who else made the first cut. Of course, you trust your buddy not to do anything untoward with this information, but that won’t matter to the SAs; and it didn’t matter to them when Kevin Bunsell did it. They fined him more than £1,300.
You just got a new job and you want to bring what you learned about data management at your old job. So you download a few spreadsheets so you can crib the processes. You have no interest in the data itself, just the format. The SAs don’t know that, can’t confirm it and won’t stand for it. When former head teacher Darren Harrison did exactly this (with student records), he was fined more than £1K.
List-buying is a well-established and accepted way to expand a prospect pool. But the SAs are insisting that you screen any list you purchase before using it to make sure no one’s on it that shouldn’t be. So when Secure Home Systems, a little company in England, failed to screen one of their purchased lists, they were hit with an £80,000 fine.
Yes, most data breaches are digital-based, but the SAs are just as concerned with how you treat your paperwork. Bayswater Medical Centre found this out the hard way when the SAs levied a £35,000 fine for failing to properly store confidential patient data, even though nothing happened.
Make sure you’re GDPR compliant from a systems perspective. Because you can conduct all the employee behaviour modification you want, but if your solutions aren’t up to code, the SAs will absolutely get you for that too. And they’ll get you good.
Here’s a simple cheat sheet you can use to verify your specific needs.