Data breach

How to be in pole position to avoid data protection regulatory actions

In a historic move, the Danish Data Protection Authority, Datatilsynet has recommended its first fine under the GDPR regime for taxi company Taxa4x35 for its failure to adhere to principles of data minimisation and a failure to properly anonymise personal data.

Organisations who wish to avoid facing similar fines should be aware of the GDPR’s strict requirement of data minimisation and various proactive organisational and technical measures they can take to minimise their risk exposure.

What did Taxa4x35 get wrong?

Datatilsynet’s recommendation of 1.2 million Danish Kroner (approximately £140,000/€160,700 at the time of writing) was issued following an investigation into Taxa4x35 which took place in August of 2018. This fine amounted to around 2.8% of Taxa’s global annual turnover and marks an era where European Supervisory Authorities are now unafraid to show their teeth when it comes to dealing with transgressions under the GDPR.

In summary Taxa4x35’s retention period stated that a customer’s orders and payment for taxi services would be anonymised after two years due to the fact that there would be no need to identify the customer after this period. The reality was however, only the customer’s name was deleted at the end of this two-year period, leaving other personal data such as telephone number, collection and delivery address to be retained for up to five years. The result of this was that the so called “anonymisation process” was a failure as a customer’s identity could still be inferred from combining other pieces of personal data still retained on Taxa4x35’s systems.

Responding, Taxa 4×35 has attempted to argue that a customer’s telephone number was not deleted due to the technical limitations of their systems, providing that such retention was an integral part of the service they were offering. Datatilsynet has rejected this argument stating that it is unacceptable to set a deletion period three years longer that what is strictly necessary simply because it is difficult to comply with the rules of the GDPR. Datatilsynet has now sent a powerful message to organisations across the European Economic Area (EEA), letting them know that technical limitations of systems will not mitigate their duty to comply with the GDPR.

Personal data retained for too long

Datatilsynet found that Taxa4x35’s five-year retention period for customer telephone numbers was far too lengthy and was not completely necessary. Furthermore, the telephone number was now being used for solely business development purposes with the customer rather than the management of bookings, which was the original purpose of collection and processing. Therefore, it was now also unrelated to the purpose for which it was originally collected for, being in direct breach of the Regulation.

Organisations should ensure that all personal data processed by them is indexed in their Record of Processing (ROP) and retention schedule. There should be deletion parameters and dates set for any personal data collected and processed when it is no longer necessary. The increased use of statutory powers by EU Supervisory Authorities as evidenced by this case means organisations can no longer hold onto personal data which may be of use to them in the future.

Failure of the anonymisation process

Taxa4x35’s failure to properly anonymise their entire data set was also part of the reason why Datatilsynet found them to be in breach of the GDPR. Anonymisation, if done correctly, must be irrevocable. This means that the data subject from whom the personal data originated from must no longer be identifiable in the anonymised data set.

It is of little use employing an incomplete anonymisation procedure as was the case with Taxa4x35, who thought merely deleting the data subject’s name was adequate. If your organisation aims to anonymise redundant data sets, rather than delete them caution must be exercised in when doing so. Consultation with your DPO at all stages of the anonymisation process is critical to ensuring this process goes smoothly.

Key takeaways from this case

Datatilsynet’s fine recommendation is yet another example of the paradigm shift in attitude towards the protection of personal data and data protection in general across the EEA under the GDPR. It demonstrates that organisations are expected to expend resources to ensure GDPR compliance, rather than relying on less effective, but more efficient measures. It also demonstrates the care that must be taken when anonymising data to ensure that other data cannot be combined to re-identify individuals. Again, an investment in thinking through anonymisation procedures systematically with experts is required. Organisations who take a constructive and proactive approach to their data protection matters will be in pole position to avoid regulatory action.

If you wish to talk more about the issues discussed in this article, or any other matter concerning Data Protection, please visit Trilateral Data Protection Officer page and do not hesitate to contact a member of Trilateral Research’s DPO team.

Robert Henderson, Data Protection Advisor at Trilateral Research

 


‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.