Whilst much of the concentration in GDPR and data security has been on emails and other forms of electronic data, it is important to remember that GDPR covers hardcopy data too. Some of the most significant breaches that we have seen involve hardcopy data – it is often more consequential when it is lost and the potential for harm can be greater. A recent decision in Poland confirms that hardcopy data is still on the radar of Data Protection Authorities too.
There are some GDPR technical terms used in this note which are explained at www.bit.ly/gdprwords
What was the Cyfrowy Polsat case about?
Cyfrowy Polsat is a Polish telecoms broadcast business launched in 1999 and the fifth largest digital platform in Europe.
According to the Polish DPA, the UODO, Cyfrowy Polsat did not implement appropriate technical and organisational measures (TOMs) with its courier company. This resulted in a number of packages going astray and some being delivered to the wrong recipient. Cyfrowy Polsat reported these data breaches to UODO but sometimes 2-3 months after they happened.
Cyfrowy Polsat said that the reason for the late reporting was delays in getting information about packages from their courier. UODO said that this was however the responsibility of Cyfrowy Polsat as they should have had adequate TOMs in place to minimise security breaches and allow for faster identification of problems to enable Cyfrowy Polsat to tell UODO in time.
What did the Cyfrowy Polsat say?
The company said that the pandemic was in part responsible as that had had an impact on the timeliness of data breach notifications. They also said that the verification processes for the handling of documents was different during the pandemic. The company also provided metrics showing its analysis of incidents in August and September 2020 which showed an improvement as a result of new measures that had been introduced.
What was UODO’s response?
UODO didn’t agree about the effects of the pandemic as some of these issues pre-dated lockdown measures. UODO also felt that the metrics which Cyfrowy Polsat provided were not sufficient to show that this was one of the underlying issues.
UODO also took action on the basis of a failure to tell data subjects when there was a high risk to them in breach of GDPR Art.34.
UODO said that it was not sufficient just to have a contract in place – a controller must also exercise proper supervision of a processor’s performance and its contractual obligations. It said “The company is liable for failure to implement mechanisms guaranteeing the effectiveness of measures.”
What was the fine?
UODO fined Cyfrowy Polsat 1.14m Zloty – around £210,000.
According to UODO, Cyfrowy Polsat, in addition to paying a fine, has agreed to put in place remedial measures which include better tracking of shipments and new systems to report issues. Cyfrowy Polsat has also reviewed and strengthened its contract with its providers.
Is this the first case on hardcopy data?
No. It is important to note that DPAs do take enforcement action over issues like this. For example under the pre-GDPR regime in the UK a dental practice, Regal Chambers Surgery, was fined £40,000 after disclosing 67 pages of hard copy materials in a file to the wrong person. At that time the maximum possible fine was £500,000. More recently in December 2019 under GDPR the ICO fined Doorstep Dispensaree Ltd. £275,000 for failing to ensure the security of hard copy data (see http://bit.ly/gdprdoor).
The Polish DPA had also previously issued guidance on the risks with hardcopy data during the pandemic, working at home etc. You can see our summary of that guidance here http://bit.ly/gdprvirus.
Lessons to be learned
This case tells us a number of things including:
- Hardcopy data is important. Many GDPR and information security programs concentrate just on electronic data. Hardcopy data breaches can be more damaging given the ease with which data can be taken without specialist skills. It can also be easier to read, copy and share that data anonymously too.
- As we predicted prior to GDPR coming in, the security and integrity of data is important. Organisations need to remember that they are responsible for their use of data but also for the performance of people they trust with that data. That will include doing due diligence on providers, having the right contracts in place and monitoring their performance.
- The 72 hour reporting deadlines are tight but will be enforced. You’ll need to make sure your procedures are fit for purpose and that third parties who process your data tell you when they have concerns. When you do spot a possible security vulnerability, you need to deal with it quickly and efficiently. You can find some tips on dealing with a data breach in our short film here https://www.corderycompliance.com/dealing-with-a-data-breach/ and details of our approach to data breach response here https://www.corderycompliance.com/dealing-with-a-breach/. Ireland’s €450,000 fine for Twitter in December (https://www.corderycompliance.com/irish-dpc-fines-twitter-2/) is a reminder that DPAs are looking at the timing of reports too.
- Organisations should make sure that their policies and procedures are up-to-date. Some of the cases we have seen (including the H&M case here https://bit.ly/hamburgfine) emphasise that once there is an investigation, it will not necessarily be confined to the breach itself. The organisation’s general data protection hygiene may also be considered leading to possible additional enforcement action.
- Look at the complete path of your data. We have been involved in cases where employees have put sensitive confidential documents into ordinary post. We’ve also seen cases where sensitive data has been put in the wrong type of packaging which has fallen apart in the rain leaving the documents exposed. People take shortcuts unless they are told not to. Our sense is that this trend has been exacerbated during the pandemic with extra deliveries, the challenges of taking signatures etc. Clear guidance is needed for your employees and for those you engage to handle data for you.
- Data Protection Authorities must be treated with respect. Investigations like this are serious and organisations need to make sure that they deal with them properly. In most cases that is likely to mean that specialist counsel should be instructed to liaise with the regulator. It would appear that the company here made some errors in the way in which it dealt with the initial investigation and that seems to have possibly made the situation better not worse.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and monthly conference calls to help you comply. More details are at www.bit.ly/gdprnav.
You can read the UODO’s full decision here https://www.uodo.gov.pl/decyzje/DKN.5130.3114.2020
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|