Ah privacy. It keeps me entertained. And not only because it pays for my mortgage and the (somewhat cushy) lifestyle of my dog, but also because it does not cease to highlight how uncommon common sense actually is.
This week, Spain's data protection authority (the AEPD) has fined telco giant Vodafone with a (fairly modest) EUR 75,000 for a marketing breach. "Not a passle worthy sum surely", I hear you cry. And I would have to agree, if it were not for the fact that this resolution highlights 2 very important things that companies should be mindful of:
(1) EU privacy regulators are not taking excuses for non compliance and therefore the "we've always done this in this way" culture is definitely out of the window; and
(2) Your compliance is only as strong as your weakest link.
Arguably, this is not news (please refer to the Talk Talk ICO fine for a similar situation). However, the fact that a leading telco has been fined in 2020 for something very basic after having spent a lot of time, money and effort on a GDPR compliance program is, to say the very least, worrying.
We all rushed to get GDPR ready by May 2018, but now two years have past, the panic has been forgotten and people seem to be going back to the "we've always done this in this way". And that puts your data, your employees, your customers and your business at risk.
How to fix this? Privacy (and common sense) needs to really be part of your company's culture - so keep training, keep drilling the message in.
And don't despair, if health and safety and AML sunk into the collective consciousness, surely these "dummy" privacy situations will soon end too. Just make sure that your company isn't caught in the cross fire.
The Spanish Data Protection Authority (AEPD) imposed a fine of 75.000 EUR on VODAFONE ESPAÑA for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The controller stated that the claimant number, being easy to remember, had been used as a “dummy number” by its employees.