Following the GDPR’s official enforcement date on May 25, 2018, it was only a matter of time before the first major fines made their way into international headlines. Portugal’s supervisory data privacy authority, the Comissão Nacional de Protecção de Dados (CNPD), has fined Centro Hospitalar Barreiro Montijo 400,000 euros for three GDPR violations. (The fines were reportedly imposed in July 2018 but were only recently made public.)
According to the CNPD’s investigation, the hospital had 985 users associated with the profile of "doctor”; however, according to HR records, the organization only employs 296 physicians. The investigation revealed a long list of related facts, such as missing documentation and continued maintenance of profiles for inactive doctors; for more details, see the IAPP article on the investigation.
The three GDPR violations cited by the CNPD are
- Allowing indiscriminate access to patient data by an excessive number of users (GDPR Articles 5(1)(c) and 83(5)(a)), incurring a fine of 150,000 euros
- Failure to prevent unlawful access to personal data (Articles 5(1)(f) and 83(5)(a)), incurring a fine of 150,000 euros
- Failure to ensure the continued confidentiality, integrity, availability, and resilience of treatment systems and services (Article 32(1)(b)), incurring a fine of 100,000 euros
What We Can Learn
Several facts around this first major GDPR fine impart important lessons about current and future compliance:
- GDPR readiness isn’t just about data breaches and requests for erasure: Some companies’ primary concerns around GDPR focus on breach notification procedures and accommodating requests from data users; this case, however, highlights the importance of controlling access to personal data. It’s vital to understand the entire scope of the regulation as it applies to your company and to align your organization with each requirement.
- It’s not just about big companies: Some companies may believe they can fly under the GDPR radar because they’re not “a Google” or “a Facebook,” but this case makes it clear that smaller organizations are just as likely to be investigated and fined.
- Regulators aren’t waiting for complaints to take action: The case first came to the CNPD’s attention not through a data subject’s complaint, but via a news media story, which triggered the investigation.
- Document, document, document: The CNPD cited the hospital’s lack of documentation around issues such as rules for creating users and the connection between users’ functional competences and their profiles, which contributed to the authority’s ruling. Make sure that you have current, thorough, and accurate documentation for all areas concerning your organization’s alignment with GDPR requirements.
If you have any questions about GDPR and how it affects your organization, feel free to give us a call.
Connect with the authors:
We're Here to Help
Questions about how to align your organization with GDPR? Get the answers you need in a complimentary 15-minute call with one of our data privacy experts: