Recently, the German privacy regulator BfDI imposed a record fine on Vodafone GmbH (Vodafone):

1️⃣ €15 million fine for inadequate supervision of partner agencies (processors) – external parties amended existing ones – or concluded new client contracts – without having obtained valid consent from the data subjects. Vodafone has failed to properly audit these partner agencies for compliance with the processing agreements agreed with them. This is in direct conflict with the obligation under Article 28 of the GDPR regarding the control/audit of processors.

2️⃣30 million fine for serious weaknesses in the authentication process. Security vulnerabilities in the "MeinVodafone" portal and the hotline made it possible for third parties to misuse customers' eSIM profiles, which constituted a serious breach of the obligation to take appropriate technical and organizational measures (Art. 32 GDPR).

3️⃣ In addition, an official reprimand was imposed for structural shortcomings in data security and supervision.

🔍 What do we learn from this?

1️⃣ Responsibility doesn't end with outsourcing
Organizations remain responsible for the actions of third parties that they deploy. Vodafone did not have its audit process in order – resulting in a fine of €15 million.

2️⃣ IAM and authentication processes must be robust
Weakness in authentication = data breach risk – and therefore fine risk.

3️⃣ Privacy compliance must be managed!
Underlining a total of €45 million + image damage: privacy must be taken seriously as a strategic theme and not just as a compliance check. Implement a well-functioning privacy management system, so that you cyclically carry out all your privacy checks and audits. Or better yet, go for a privacy certification like the BC 5701.

Key take-away
Make sure that your privacy management system is demonstrably functioning so that you periodically carry out all necessary checks and audits on your privacy controls, so that you are and remain demonstrably compliant with the GDPR.

👉 We help you with audits, risk analyses and the implementation of privacy management systems.

Source: https://lnkd.in/e_fmAaZY

hashtag#GDPR hashtag#Dataprivacy hashtag#Cybersecurity hashtag#VendorRisk hashtag#Telecom hashtag#Vodafone hashtag#Compliance hashtag#AVG hashtag#DPIA hashtag#ThirdPartyRisk hashtag#BC5701 hashtag#TheDataComplianceBuilders