Ambit Compliance Newsletter: Looking Back on November 2024!

Here's what caught our eye in November 2024!

1. Finland: €2.4 million fine for Finland’s postal service and logistics company

The Finnish Supervisory Authority (SA) fined Posti €2.4 million for unlawfully processing personal data in the creation of electronic mailboxes. Complaints arose from the automatic creation of these mailboxes without customer consent and the lack of clear information provided about this service. Customers were unable to opt-out of the mailbox without losing access to other linked services. The SA found that the service could have been offered without automatically creating the mailbox and criticised Posti’s data protection practices, including pre-ticked checkboxes and auto-activated settings. Posti was reprimanded and ordered to rectify its practices to comply with GDPR requirements.

2. United Kingdom: The Data (Use and Access) Bill ("DUA Bill") continues through Parliament despite concerns raised

The Data (Use and Access) Bill (DUA) passed its second reading at the House of Lords on 19th ?November. The Bill proposes reforms to the UK's data protection framework, including changes to the Data Protection Act 2018, GDPR, and electronic communications regulations. The Bill continues despite concerns raised that it could leave the UK behind in safeguarding against emerging technologies like AI. Critics of the Bill believe it weakens data protection laws, diminishing privacy rights and reducing individuals' control over their data. The Government have been urged to heed the warnings of rights advocates and amend the Bill to better protect public privacy rights as it progresses through Parliament.

3. Poland: Administrative fine of €54,600 for failure to implement appropriate technical and organisational measures to ensure security

An employee of the catering company Res-Gastro lost a flash drive containing unencrypted personal data, including sensitive employee information. The Polish SA UODO found that the company had not properly conducted a risk analysis, failing to foresee the risk of data loss. Despite having a risk register and GDPR monitoring documents, the company inadequately addressed data security, particularly for external data carriers. The company relied on instructional videos to teach encryption, shifting responsibility to employees. As a result, the UODO fined Res-Gastro €54,600 for non-compliance with GDPR Articles 5, 24, 25, and 32, urging better security measures.

The Moral of the story is...

A recent decision by the Romanian Data Protection Authority (ANSPDCP) highlights the risks of inadequate security measures in protecting personal data. The authority fined online electronics retailer Altex Romania S.A. €20,000 after two separate data breaches exposed sensitive client information. This case highlights the critical need for organisations to proactively address security vulnerabilities and comply with GDPR Article 32 requirements on data protection by design and default.

What happened?

The breaches were caused by a failure to implement sufficient security measures. In the first instance, customer account data, including names, email addresses, delivery addresses, and order histories was exposed online. The second breach involved a "credential stuffing" attack, where stolen login credentials were used to gain unauthorised access to customer accounts, leading to unauthorised gift card purchases.

The Romanian DPA found that Altex Romania had not taken adequate steps to prevent such breaches, including failing to enforce strong password policies or monitor for unusual login activity. As a result, the authority fined the retailer and mandated corrective actions, such as implementing login alerts, displaying active devices in user accounts, and enhancing password security with expiration policies.

What does this mean for your organisation?

This case illustrates the potential consequences for organisations that do not adequately safeguard personal data. GDPR Article 32 requires organisations to implement appropriate technical and organisational measures to ensure the security of processing, including the prevention of unauthorised access to personal data. Key lessons include:

• Strengthen Password Policies: Enforce the use of complex passwords, set regular expiration intervals, and discourage password reuse across accounts. These steps make it harder for attackers to exploit stolen credentials.
• Monitor Suspicious Activity: Establish systems to monitor for unusual login patterns and alert users of new device logins. Proactive detection and response can significantly reduce the impact of credential-based attacks.
• Secure E-Commerce Platforms: Ensure that your platforms are designed with security in mind, employing encryption, multi-factor authentication (MFA), and real-time traffic monitoring to identify and block potential threats.
• Conduct Regular Risk Assessments: Evaluate your systems and processes to identify potential vulnerabilities and prioritise mitigation efforts.

Steps your organisation can take to enhance security:

1. Implement Multi-Factor Authentication (MFA): Adding an extra layer of security for logins reduces the risk of unauthorised access, even if credentials are compromised.
2. Enable Login Alerts and Device Management: Notify users of new device logins and allow them to view and manage active sessions within their accounts.
3. Monitor Traffic for Anomalies: Use tools to analyse inbound and outbound traffic for authentication platforms, detecting unusual activity patterns in real time.
4. Educate Your Customers: Encourage users to create strong, unique passwords and enable MFA where available. Raising awareness is a key component of shared security responsibility.

The takeaway? Implementing effective security measures is critical for protecting personal data and ensuring GDPR compliance. By addressing vulnerabilities proactively and implementing strong safeguards, organisations can reduce the risk of data breaches and avoid regulatory penalties, while building trust with their customers.

Tales from the coalface

Each month, we examine pressing Data Protection issues encountered by our clients. This month, we look at Subject Access Request as we approach Christmas. The festive season brings joy and celebrations, but for many organisations, it also ushers in an increased volume of Subject Access Requests (SARs). With GDPR's strict one-month timeline for responses, ensuring compliance while navigating seasonal challenges such as reduced staffing and holiday closures becomes a pressing concern.

Challenges Organisations Face:

Beyond the usual demands of GDPR compliance, several specific challenges arise when it comes to Subject Access Requests:

• Meeting GDPR Timelines Under Pressure: Managing a surge in SARs while ensuring responses are delivered within the one-month timeframe (GDPR Article 15) can stretch even the most organised teams.
• Staffing Constraints During the Festive Season: Reduced workforce availability and operational slowdowns can hinder timely processing of requests.
• Complex Data Retrieval Processes: Retrieving and consolidating data from multiple systems often becomes more challenging without efficient systems in place.

Strategies for Success:

To navigate this busy period and maintain compliance, organisations should consider the following best practices:

1. Plan for the Seasonal Surge: Proactively review your SAR handling process before the holiday period. Identify potential bottlenecks and implement measures to address them.
2. Centralise SAR Management: Use a tracking system to monitor SARs from receipt to resolution, ensuring deadlines are clearly visible and prioritised.
3. Leverage Templates and Tools: Prepare standardised response templates and FAQs for common queries. This saves time and ensures consistent, compliant responses.
4. Communicate with Data Subjects: Inform individuals about any potential delays due to seasonal pressures, while still adhering to GDPR’s requirements (Article 12(3)). Transparency fosters trust.
5. Ensure Adequate Resources: Allocate additional staff or establish clear escalation pathways to handle complex requests or spikes in volume.
6. Streamline Data Retrieval: Review how data is accessed and retrieved across your organisation. Ensuring systems are efficient and well-documented reduces delays.

Why Preparation Matters:

Failing to respond to SARs within GDPR’s required timeframe not only risks regulatory penalties but also undermines trust and confidence with data subjects. Delayed or incomplete responses can lead to complaints to the DPC, reputational damage, and even financial loss in the form of fines or legal costs.

By adopting proactive measures and streamlining processes, organisations can demonstrate their commitment to transparency and accountability, as required by GDPR’s principles of fairness and accountability (Articles 5 and 24). Efficient SAR management not only ensures compliance but also reinforces the organisation’s reputation as a responsible data controller. During the festive season, when operational pressures are higher, preparation becomes even more critical in safeguarding both compliance and trust.

If you need support with SAR management, from process reviews to compliance advice, Ambit Compliance is here to help. Our team offers tailored solutions to streamline your SAR processes and ensure you stay ahead of seasonal pressures while respecting data protection rights.

Contributors to this newsletter:

Gillian Traynor and Dwayne Morgan