France’s data protection regulator, CNIL, recently announced that it has fined the online shoe retailer, ‘Spartoo’ 250,000 Euros for breaching european data protection laws. While the General Data Protection Regulation (GDPR) only applies to organizations that do business with customers or potential customers in the EU, many GDPR obligations are replicated in data protection laws around the world (such as the California Consumer Privacy Act (CCPA)).
Here I look at lessons that all organizations can learn from this decision, suggesting how your data and data protection practices, policies and procedures might be improved. I look at each of the breaches identified by CNIL in turn.
This is the principle that an organization should not be gathering more personal data from its customers or potential customers than is necessary.
In this case, CNIL identified the full and permanent recording of customer service calls as unnecessary. It was revealed that only one phone call of one employee was audited per week.
Take home message: Organizations cannot simply ‘hoover up’ data passively. Organizations need to have an intentionally designed data collection process in place that does not gather more personal data than is necessary to carry out its business.
CNIL found that Spartoo had inadequate processes in place to get rid of personal data after a certain period of time had elapsed. It held that retaining customer emails and passwords after five years was not GDPR-compliant.
Take-home message: Organizations need to ensure that their systems automatically flag when data has been kept for a certain period of time (for example more than two years) without being used, and schedule that data for deletion.
Security flaws identified by CNIL included:
-The retention of unencrypted scans of customer bank cards for more than six months;
-Allowing customers to have passwords that were unduly weak.
Take home message: Organizations need to ensure that the data protection, privacy and information security policies and processes are lined up, especially when it comes to sensitive financial data.
Whether or not your organization operates in the EU, or somewhere else with similar regulations (like California), the recommendations in this decision represent good data protection practices. By minimizing data, retaining it only as long as necessary, informing customers and implementing robust cyber security, you ensure that you are implementing a robust data governance framework.