GDPR makes new headlines as firm hit with huge fine

GDPR .2GDPR was back in the news this week as it emerged that a German housing firm had been fined €14.5 million (approximately £12.5 million) for data breaches.

It seems a good opportunity to revisit GDPR. Do you know what your obligations under the General Data Protection Regulation are? Is your firm doing everything it should to avoid a similar fine?

What was the German firm fined for?

The fine, as reported by IT Pro, was for ‘hanging onto a treasure trove of personal and financial data of former and current housing tenants’.

German data protection investigators found that the property company, Deutsche Wohnen, had:

  • Been holding highly sensitive information – including salary information, extracts from employment and training contracts, tax and health insurance records and bank statements – in an archival system from which it was impossible to delete records
  • Stored data ‘on an indiscriminate basis’, according to German data protection authorities, and without appropriate consents
  • No legally-defined basis for collecting and storing the data

The company had previously been warned about its archive system, for the first time in 2017, and been told to change its archiving system as a matter of urgency.

Although it had changed the system in March this year, the updates still failed to establish a lawful basis for storing the personal data.

The initial fine was actually far larger – roughly €28 million (£24 million), or 2.8% of the firm’s annual turnover. It was reduced because Deutsche Wohnen had co-operated with the regulator during the process, and had already taken steps to improve the way it stores data.

How have firms responded to GDPR?

Since GDPR came into force in May 2018, marketers have needed to approach data with extreme caution.

You need to ensure that your use of client, customer and prospect data falls under one of the six lawful bases for processing data.

But not all firms seem fully on board with the new rules. A survey in December last year found that two-thirds of EU firms were not fully compliant with the regulation.

And a report released last July claimed that UK employees are more likely to get into trouble for failing to do office ‘housekeeping’ than they are for GDPR breaches.

What do you need to do to avoid falling foul of the regulation?

  • Familiarise yourself with the rules

Our blog on the GDPR’s launch has useful background. The Information Commissioner’s Office also publishes regular blogs and has a dedicated GDPR microsite – both good sources of information.

  • Review your own approach

Do your processes comply? Does your data processing follow one of the lawful bases? Are your systems adequate to meet the requirements of the regulations? Can you respond quickly to requests to have people removed from your mailing lists – and do you compliantly document these actions?

  • Look at alternative marketing channels to reduce your use of email

Prior to the regulation coming into force, we shared some of the ways your marketing may change under GDPR.

If you decide to reduce your email marketing to minimise your exposure to the GDPR requirements, you might want to increase your use of social media.

Look at other ways to take your marketing content to your audience. And think about some of the efficiencies you may need to make to counteract the additional work the new regulation entails.

  • Read our previous blogs for tips

We’ve looked before at how regulated firms can respond to GDPR and how small businesses can overcome the GDPR challenge both blogs have practical tips and advice for firms tackling GDPR.

Taking a responsible approach to marketing compliance

GDPR is just one of the many regulations your marketing activity needs to comply with. For a refresher on how to ensure your marketing campaigns come up to scratch, you can read a copy of our Marketing Guide to Compliance.

The free guide covers nine key areas that marketing needs to know about financial promotions and compliance. You can read a copy here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action