You are here
Home > News > Cyberlaw > First GDPR Enforcement Action Didn’t Even Involve a Data Breach

First GDPR Enforcement Action Didn’t Even Involve a Data Breach

This is an interesting precedent. In the very short term, check the access rights of your staff to personal data. Next, check that your access controls are actually working…:

Compliance officers recently got their first look at an enforcement action under the EU General Data Protection Regulation — and in a somewhat surprising turn of events, the offense in question didn’t involve a data breach.

Portugal’s national privacy regulator, the Comissão Nacional de Protecção de Dados (CNPD), fined a major hospital just outside Lisbon €400,000 for violating the GDPR. Apparently this is the first monetary penalty imposed by a European privacy regulator since the GDPR went into effect last May.

The offense? The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.

For example, the CNPD found that 985 employees of the hospital had the access rights of a medical doctor — when the hospital had only 296 doctors on staff.


Read the original article here

Peter Glock
Over 30 years of designing, building and managing telecoms and IT services. Primarily working with large enterprise and professional services businesses in Asia, North America, continental Europe and the UK. Information security professional, secret physics nerd.

Similar Articles

Leave a Reply

%d bloggers like this: