GDPR was back in the news this week as it emerged that a German housing firm had been fined €14.5 million (approximately £12.5 million) for data breaches.
It seems a good opportunity to revisit GDPR. Do you know what your obligations under the General Data Protection Regulation are? Is your firm doing everything it should to avoid a similar fine?
What was the German firm fined for?
The fine, as reported by IT Pro, was for ‘hanging onto a treasure trove of personal and financial data of former and current housing tenants’.
German data protection investigators found that the property company, Deutsche Wohnen, had:
- Been holding highly sensitive information – including salary information, extracts from employment and training contracts, tax and health insurance records and bank statements – in an archival system from which it was impossible to delete records
- Stored data ‘on an indiscriminate basis’, according to German data protection authorities, and without appropriate consents
- No legally-defined basis for collecting and storing the data
The company had previously been warned about its archive system, for the first time in 2017, and been told to change its archiving system as a matter of urgency.
Although it had changed the system in March this year, the updates still failed to establish a lawful basis for storing the personal data.
The initial fine was actually far larger – roughly €28 million (£24 million), or 2.8% of the firm’s annual turnover. It was reduced because Deutsche Wohnen had co-operated with the regulator during the process, and had already taken steps to improve the way it stores data.
How have firms responded to GDPR?
Since GDPR came into force in May 2018, marketers have needed to approach data with extreme caution.
You need to ensure that your use of client, customer and prospect data falls under one of the six lawful bases for processing data.
But not all firms seem fully on board with the new rules. A survey in December last year found that two-thirds of EU firms were not fully compliant with the regulation.
And a report released last July claimed that UK employees are more likely to get into trouble for failing to do office ‘housekeeping’ than they are for GDPR breaches.
What do you need to do to avoid falling foul of the regulation?
- Familiarise yourself with the rules
- Review your own approach
Do your processes comply? Does your data processing follow one of the lawful bases? Are your systems adequate to meet the requirements of the regulations? Can you respond quickly to requests to have people removed from your mailing lists – and do you compliantly document these actions?
- Look at alternative marketing channels to reduce your use of email
Prior to the regulation coming into force, we shared some of the ways your marketing may change under GDPR.
- Read our previous blogs for tips
We’ve looked before at how regulated firms can respond to GDPR and how small businesses can overcome the GDPR challenge – both blogs have practical tips and advice for firms tackling GDPR.
Taking a responsible approach to marketing compliance
GDPR is just one of the many regulations your marketing activity needs to comply with. For a refresher on how to ensure your marketing campaigns come up to scratch, you can read a copy of our Marketing Guide to Compliance.
The free guide covers nine key areas that marketing needs to know about financial promotions and compliance. You can read a copy here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.