Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.
Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.
Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.
I read that enforcement report. I think it was fully warranted that the 1,000 pound fine was levied against that company. (1) they did not immediately report the fact that they disclosed that customers private information and (2) they did not have appropriate technical measures in place to avoid such problems, specifically: they were tasking their cs reps to cut-and-paste information between screens that could display the information of two unrelated customers, a super stupid and error-prone set up.
The fine, 1000 pounds is proportionate given the size of the entity it is levied against, the resources at their disposal and the turnover of the company, if the company had been much smaller one would hope for leniency but the fine would have not been levied at all or it would have been 1000 pounds, no middle ground there.
Also, my understanding is Germany allows for whistle-blowers to take a cut of fines. Language in the GDPR calls for over-estimating damages for loss of PII when compensating individuals as well.
Generally, I appreciate the GDPR. That said, it's a huge burden trying to go through many dozens of workflows, technical or otherwise, where (typically minimal) PII is recorded, catalog them, limit (and purge) intake of data to bare minimums, create documentation supporting said workflows to be able to provide the SA's, create a plan for being able to search ALL those workflows/databases/spreadsheets/apps that have PII to supply that data upon request, and then be able to delete all cases of such data upon request.
Turns out that's actually a mountain of work. It will probably force us to significantly improve workflows and combine data repositories moving forward but it's a large burden up front. Likely many hundreds, if not thousands, of hours for our fairly small enterprise.