Ruth Cohen, Research and Legal Executive and Data Protection Officer at VinciWorks
While you have been on your summer holidays, the ICO and other European Data Protection Authorities have been keeping busy. Large and small firms have been investigated and fined for having insecure data file transfer and storing systems in place, making unlawful marketing calls and having inadequate, or in some cases, no GDPR training programmes in place.
Here’s a quick overview of critical GDPR events you may have missed while you were away:
No-deal Brexit will ‘instantly disrupt’ UK’s role as £174bn global data hub
A new study by UCL European Institute suggests that a no-deal Brexit would seriously disrupt the free flow of commercially valuable data between Europe and the UK, leaving companies across the finance, hospitality, manufacturing and technology sectors facing “immense” extra costs. Once it loses its seat at the EU table, the UK is likely to become a data protection rule-taker and no longer a rule-maker. With the EU setting the global gold standard, the scope for meaningful UK sovereignty in this domain is minimal.
AncestryDNA, 23andMe and MyHeritage DNA home testing concerns
The ICO has received 16 complaints about AncestryDNA, 23andMe and MyHeritage, three of the biggest home DNA testing companies regarding security, the use and disclosure of data and the right to prevent the processing of data. The ICO has offered advice to the affected companies to ensure they are GDPR compliant.
Making it Easy Ltd receive a £160,000 fine for making spam calls
Following over 200 complaints, the ICO has fined Making it Easy Ltd., a Clydebank-based boiler replacement firm, £160,000 for making over a million marketing calls between May and December 2018. They found that over 80% of the calls were made unlawfully. In many instances, the company did not use its trading name to make the spam calls. The ICO has made it clear that such practices are unacceptable.
Life at Parliament View Ltd fined £80,000
Life at Parliament View Ltd, a London based estate agency, has been fined £80,000 for failing to keep tenants’ data safe. The ICO found that 18,610 customers’ personal data, including highly confidential documents such as bank statements and salary details, were left exposed for almost two years.
The ICO found that the estate agent “had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.”
Dutch Hospital fined €460,000 due to an absence of appropriate security measures
Dutch hospital HagaZiekenhuis has been fined €460,000 due to an absence of appropriate security measures protecting its patients’ files. The Dutch Data Protection Authority determined that the system used by the hospital did not have appropriate access controls or an adequate authentication process as required by GDPR.
If the hospital does not comply, a further penalty of €100,000 will be due every two weeks until such measures are implemented.
AVON cosmetics fined €60,000 for unlawfully processing data
The Spanish data protection authority has fined AVON cosmetics €60,000 for unlawfully processing data under GDPR. The company did not appropriately verify the identity of its customer, and a third party then made use of this information to fraudulently receive products from the company without paying the amounts due. Further, the incorrect data was added to a bad debt register in error.
Guidance has been issued that the controller did not put in place the necessary due diligence to verify the identity of the person.
Legal and Research Executive and DPO Ruth Cohen holds an LLB specialising in International Commercial Law. Ruth has experience in both the public and private sectors, having consulted for many Fortune 500 companies. She has expert-level knowledge across a wide range of areas including corporate finance, data protection, harassment, information security, due diligence, commercial law, risk and regulatory compliance.