Recently, the German subsidiary of a multinational Swedish fashion chain was fined a record-breaking €35.3 million ($41.8 million) for a breach of the General Data Protection Regulation (GDPR)—the largest financial penalty issued in Germany since the EU law came into force in 2018.
It was the latest high-profile company to make negative headlines for its data privacy shortcomings, following in the wake of Google, Marriott International, and British Airways, which had also been hit with eye-watering GDPR penalties.
But the damage to the retailer and its employees could have been avoided. In this post, we examine the details of the case and discuss how NetApp Cloud Data Sense, NetApp's AI-driven privacy tool, can help compliance teams keep tabs on the sensitive data in their databases.
Findings of the Investigation
After a year-long investigation by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), the federal state regulator concluded that the retail chain had been collecting and processing excessive amounts of personal data about staff at its Nuremberg service center.
The German watchdog interviewed members of staff and reviewed more than 60 GB of data stored in an online database, which contained detailed information about holidays, health, family issues, and religious beliefs of its employees.
Managers and supervisors at the company garnered the data through a wide variety of means, including informal workplace conversations and welcome-back talks following holidays and sickness absence.
The information was used to build staff profiles and was shared by approximately 50 managers for making performance evaluations and employment decisions.
The practices came to light in October 2019 when a configuration error led to company-wide exposure of the data for several hours. The company reported the incident to the relevant authorities, offered financial compensation to those affected, and launched a comprehensive action plan of new organizational and technical measures to prevent similar privacy violations in future.
The HmbBfDI hasn't released details of the precise legal grounds for the fine. The fine was the third highest issued under the GDPR and the largest to date for this particular nature of offense.
How NetApp Helps Prevent Compliance Problems
NetApp's data privacy analysis tool Cloud Data Sense is able to discover, map, and classify certain types of personal data on a variety storage services—as well as relational and document-oriented databases, such as MySQL, PostgreSQL, Microsoft SQL, Oracle and MongoDB, on any type of infrastructure.
It can understand data in both structured and unstructured form and uses AI technologies, including natural language processing (NLP), machine learning (ML) and cognitive computing (CC), to understand the meaning of content to ensure accurate detection of personal information or special category data.
As it scans your data, Cloud Data Sense maintains an index of this personal information, classifying it according to the type of data, such as email address, ethnic origin or sexual orientation, as defined by privacy laws such as the GDPR.
This could have provided the Swedish retailer with a suite of tools useful in classifying and organizing personal information—providing insights into what data the company was collecting and where it was storing it. An awareness of this type of data in a data processing system can help customers identify and manage specific privacy risks in their environment.
Data Visibility and Classification
It also includes a search facility that helps compliance teams locate personal data based on the category to which it belongs and quickly establish whether staff are storing information they shouldn't be.
These features would've been invaluable to the Swedish retailer, as it would've quickly become aware of any excessive data collection practices and been able to take appropriate action accordingly.
NetApp's compliance status dashboard
Quicker and More Efficient Investigations
It took the HmbBfDI a whole year to conduct its investigation. This was a significant burden not only on the German DPA but also the fashion chain, which likely dedicated a substantial amount of time and effort in assisting the investigation.
The regulator analyzed around 60 GB of data. Much of this content, such as email addresses and social security numbers, would follow standard patterns and would've been relatively easy to identify. But more complex private details about employees would've been far more difficult to find without human-like understanding of the data.
A Wake-Up Call
The sheer magnitude of the fine imposed on the clothing firm should serve as a wake-up call to employers that hefty GDPR penalties aren't only restricted to cases involving large-scale exposure of data about the general public. They are also used as an enforcement mechanism for violations of the privacy rights of employees.
Personal data is central to the day-to-day running of any organization. But enterprises still need visibility into the personal data they are collecting and storing so they can establish whether this processing is fair, justified, and in line with organizational requirements.