GDPR was back in the news this week as it emerged that a German housing firm had been fined €14.5 million (approximately £12.5 million) for data breaches.
It seems a good opportunity to revisit GDPR. Do you know what your obligations under the General Data Protection Regulation are? Is your firm doing everything it should to avoid a similar fine?
What was the German firm fined for?
The fine, as reported by IT Pro, was for ‘hanging onto a treasure trove of personal and financial data of former and current housing tenants’.
German data protection investigators found that the property company, Deutsche Wohnen, had:
- Been holding highly sensitive information – including salary information, extracts from employment and training contracts, tax and health insurance records and bank statements – in an archival system from which it was impossible to delete records
- Stored data ‘on an indiscriminate basis’, according to German data protection authorities, and without appropriate consents
- No legally-defined basis for collecting and storing the data
The company had previously been warned about its archive system, for the first time in 2017, and been told to change its archiving system as a matter of urgency.
Although it had changed the system in March this year, the updates still failed to establish a lawful basis for storing the personal data.
The initial fine was actually far larger – roughly €28 million (£24 million), or 2.8% of the firm’s annual turnover. It was reduced because Deutsche Wohnen had co-operated with the regulator during the process, and had already taken steps to improve the way it stores data.
How have firms responded to GDPR?
Since GDPR came into force in May 2018, marketers have needed to approach data with extreme caution.
You need to ensure that your use of client, customer and prospect data falls under one of the six lawful bases for processing data.
But not all firms seem fully on board with the new rules. A survey in December last year found that two-thirds of EU firms were not fully compliant with the regulation.
And a report released last July claimed that UK employees are more likely to get into trouble for failing to do office ‘housekeeping’ than they are for GDPR breaches.
What do you need to do to avoid falling foul of the regulation?
- Familiarise yourself with the rules
- Review your own approach
Do your processes comply? Does your data processing follow one of the lawful bases? Are your systems adequate to meet the requirements of the regulations? Can you respond quickly to requests to have people removed from your mailing lists – and do you compliantly document these actions?
- Look at alternative marketing channels to reduce your use of email
GDPR is just one of the many regulations your marketing activity needs to comply with. For a refresher on how to ensure your marketing campaigns come up to scratch, get in touch with us.
How can we help!
At LS Consultancy, we offer a number of distinct products and services which can be deployed individually or combined to form a broader solution.