Almost one and a half years after the introduction of GDPR (EU General Data Protection Regulation), some companies still struggle with implementing appropriate measures to deal with Personally Identifiable Information (PII) in a compliant fashion. Last week the Commissioner for Data Protection and Freedom of Information of the city state Berlin Maja Smoltczyk imposed a 195,000 euro fine on the German food delivery service provider Delivery Hero after it had committed a series of data protection law violations with its subsidiaries Foodora, Lieferheld and Pizza.de. It is Germany’s highest GDPR-related fine to date.
According to the press release by the Commissioner for Data Protection and Freedom of Information, the majority of privacy breaches displayed disregard of the rights of the affected parties. In ten cases, the delivery provider had not deleted personal data of former clients, despite the latter having ceased activity on the platform for several years. Among other things, this led to marketing mails sent out without the consent of the recipients. In a statement to the privacy officer, Delivery Hero argued that some violations could be traced back to technical glitches and employee accidents but “due to the high number of repeated violations a general, structural organizational problem was assumed.” Delivery Hero was acquired by the Dutch company Takeaway.com at the end of last year and states that all violations happened prior to the takeover.
Having understood early how crucial it is for a company to be GDPR-compliant, KuppingerCole Analysts already published a Leadership Brief in May 2017 in preparation for GDPR in which Senior Analyst Mike Small identified six key actions that IT needs to take to prepare for compliance. He stressed that the Data Controller or Data Processor must ensure that Personally Identifiable Information (PII) is “only accessed in accordance with the consent given by the data subject”. This was obviously not the case when – as stated above – in most breaches the rights of data subjects were disregarded.
Another point of emphasis in the Leadership Brief is that “organizations must have processes and technology to track the consent lifecycle for each data subject”. By admitting technical glitches, employee accidents and a lack of adequate structure and organization behind the data lifecycle process, Delivery Hero essentially made a confession of grave data negligence.
Not being in comprehensive control of internal processes, employees and technologies, it can be assumed that Delivery Hero was and maybe still is not sufficiently prepared for a potential data breach and would be unable to react to an incident in a timely manner without undue delay.
Other companies can only take this case as a learning opportunity and – in order to comply with regulations such as GDPR – implement reliable processes and technologies that do not depend on the diligence of single employees.
Nevertheless, the latter should not be ignored altogether. All employees should be trained in GDPR-relevant questions about their specific work tasks.
KuppingerCole offers a wide variety of research, blog posts and recorded webinars covering many different aspects of GDPR that can support you and your company in achieving and maintaining compliance. For example, there are several technical solutions for locating and classifying structured and unstructured data. These can assist companies in determining where PII and other regulatory information is located. KuppingerCole constantly investigates these markets and provides guidance.
If you have any specific questions, please do not hesitate to get in touch with us. KuppingerCole Advisory Services can efficiently support you in establishing appropriate processes and their technical implementation, strengthened by long-term practical experience and comprehensive market knowledge.