As the saying goes, “March comes in like a lion and goes out like a lamb”. Regarding GDPR enforcement actions collated in March 2023, the lion has roared. Recent enforcement actions related to the General Data Protection Regulation (GDPR) in multiple countries highlight common threads and emerging trends that business owners must consider to improve their compliance with data protection laws. The following recent examples we gathered together in March 2023 illustrate these trends and provide actionable business insights.
Inadequate technical and organizational measures
Many of the cases, including those involving Azienda ULSS n.5 Polesana (Italy), Szczecin-Centrum District Court (Poland), Med Life S.A. (Romania), and Tinmar Energy S.A. (Romania), demonstrate that failing to implement sufficient technical and organizational measures to protect personal data can result in fines. In these cases, the data breaches occurred because of errors, such as sending sensitive information to the wrong recipients or using unsecured devices.
Violating the principle of data minimization
The Spanish Data Protection Authority (DPA) fined private individuals for violating the principle of data minimization. In two cases, individuals installed video surveillance cameras that recorded areas beyond their private property, infringing on the privacy of others. In another case, an individual sent an email containing personal data using an open distribution list, exposing the recipients’ email addresses.
Unauthorized disclosure of personal data
Several cases, such as those involving Med Life S.A. (Romania), an attorney (Spain), and a private individual (Spain), involved the unauthorized disclosure of personal data. In each case, the responsible party failed to obtain consent from the data subjects before sharing their information with third parties.
Actions you can take next
- Strengthen data protection measures by regularly reviewing and updating security protocols, including employee training, secure data storage, and encryption. We can help you with data protection training.
- Limit data collection and storage to the minimum necessary by reviewing and revising data collection practices, ensuring compliance with the data minimization principle.
- Seek consent from data subjects before sharing their information with third parties, and always ensure that you transmit any data securely and responsibly. We can help you with consent.
- Implement clear policies and procedures for employees to follow when handling personal data and regularly monitor compliance with these policies.
- Establish a robust incident response plan to quickly detect and mitigate data breaches, minimizing potential damage and legal exposure. We can help you with an incident response policy.
By addressing these emerging trends and implementing the recommended actions, businesses can better protect personal data, avoid enforcement actions, and maintain a strong reputation in the age of increasing privacy regulation. That’s it for our rundown of GDPR enforcement actions collated in March 2023.