What the first Italian GDPR fine reveals about data security liabilities for processors
Rousseau, the online voter consultation platform that the Italian political party 5 Star Movement uses, was fined €50,000 for leaving its users’ data vulnerable to attackers.
The Italian Data Protection Authority, known as the “Garante,” issued the fine against Rousseau on April 4 for violating Article 32 of the GDPR. This is not the first time Rousseau has run afoul of the Garante. The Italian DPA presented the platform a series of recommendations in December 2017 (in Italian) to address its vulnerabilities, and in 2018, it fined the platform €32,000 over concerns that it illegally shared member data with third parties. While authorities admit the security surrounding Rousseau’s data processing has improved, it is still not compliant with GDPR standards, which led to this most recent fine.
Rousseau’s two remaining violations were a failure to adequately anonymize e-voting data and regulate access to the personal data on the platform. Garante found that a small group of individuals from the Rousseau Association and the 5 Star Movement can access the platform and its data (which includes sensitive personal data, such as political preferences) without leaving a trace. In paragraph 4.2, authorities wrote that there was:
sharing of authentication credentials by several employees with high privileges for the management of the Rousseau platform and [a] failure to define and configure the different authorization profiles in order to limit access to only the data necessary in the various fields of operation, which in the previous legal system were qualified as minimum security measures for data controllers… It is, therefore, evident that the failure to adopt such measures and, conversely, the sharing of the authentication credentials among subjects entitled to manage the platform represent a violation
If you would like to read the complete ruling by the Garante, click here. (In Italian)
Security of processing personal data
Article 32 discusses the minimum standards of security that data controllers and data processors must meet. It requires that organizations use both technical protections and administrative processes to “ensure a level of security appropriate to the risk.” It mentions four specific measures that companies should implement:
- Protect data with pseudonymisation and encryption — End-to-end encrypted services are especially effective for reaching the GDPR’s required level of security.
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services — Companies must keep all their software and applications up to date, and patch known network flaws.
- Be able to restore personal data in the event of a physical or technical incident — Essentially, companies must have backups of their users’ personal data.
- Regularly test, assess, and evaluate the effectiveness your technical and organisational security measures — Companies must continuously test their IT security as new and different vulnerabilities emerge.
Rousseau actually did a respectable job meeting the Garante’s recommendations regarding those four factors. However, the fact that they allowed their staff and 5 Star Movement party members to share credentials made it impossible for Rousseau to comply with Section 4 of Article 32, which requires that “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller.”
Data security and GDPR compliance
Businesses can avoid these sorts of GDPR fines by preventing employees from sharing credentials. Adding additional encryption to sensitive data would be another. This could also assist with the anonymization of e-voting data. Rousseau, for its part, states that it plans on using blockchain technology to address the issues the Garante has pointed out.
The GDPR has created higher security expectations for the personal data that organizations process. It requires organizations to use advanced encryption, limit their employees’ access to only the personal data they need to do their work, and assess their overall security on a regular basis. The penalty against Rousseau also shows that data processors may be particularly liable for GDPR compliance in terms of data security. In this case, the 5 Star Movement was the data controller and Rousseau was the data processors, but the party avoided any sanction. To avoid GDPR fines, therefore, data processors must also be careful to meet the expectations of Article 32.
The GDPR makes many demands of businesses, but by being proactive and putting in the effort, you can achieve GDPR compliance. Our GDPR checklist and our overview of the law are great places to start. If you’re a business in the US, we have a checklist for you as well.