Until now most big fines under GDPR have been for big breaches, single or singular events. Now the German Federal regulator has fined a company for its Call Centre procedures. The logic of the fine is that identity theft could have occurred, as the bar for an individual to get access to the data the company held was too low. So it can be argued that it is still about data loss, but the significance is that this is about the process, not a specific large scale loss.
The company is appealing the fine on two grounds: that they have already started to change the system to give higher security; and that the fine of €9.6m was disproportionate as it took in too much of the wider firm.
Whether either ground will work is for another day. What is clear however, is that those companies who have been relying on the regulatory spotlight only falling on them if they have a big data loss now need to think again.
But what about the specific issue of call centres? Getting the balance between a user-friendly customer journey and data security has never been easy. This ruling just adds to the pressure on that balancing act.
Underneath it all there’s a simple message. Those boring policies, procedures and training that your DPO has (or should have been) talking about now have a real valuation attached to them. And it’s a big one.
Germany's data protection watchdog said anyone who called 1&1 Telecom could get extensive personal information about someone else solely by giving their name and date of birth. Fraudsters can easily collect such details from social networks and elsewhere on the net.