This is an interesting precedent. In the very short term, check the access rights of your staff to personal data. Next, check that your access controls are actually working…:
Compliance officers recently got their first look at an enforcement action under the EU General Data Protection Regulation — and in a somewhat surprising turn of events, the offense in question didn’t involve a data breach.
Portugal’s national privacy regulator, the Comissão Nacional de Protecção de Dados (CNPD), fined a major hospital just outside Lisbon €400,000 for violating the GDPR. Apparently this is the first monetary penalty imposed by a European privacy regulator since the GDPR went into effect last May.
The offense? The hospital allowed too many staffers to have too much access to patient data. It was a failure of access control, which really is a failure of policy and procedure.
For example, the CNPD found that 985 employees of the hospital had the access rights of a medical doctor — when the hospital had only 296 doctors on staff.