By Marcus Grazette, Europe Policy Lead at Privitar

The Belgian Data Protection Authority (DPA) recently fined an unnamed financial institution €100,000 after the institution failed to impose appropriate controls on its employees’ access to and use of personal information. This decision highlights the need for organizations to take appropriate measures to manage and monitor access. Data request and approval workflows can help.

What happened?

In summary, an employee had access to a consumer credit register maintained by the Belgain Central Bank. He abused this access to look up information relating to his ex-wife, for personal reasons, on around 20 occasions. The ex-wife discovered that information relating to her had been accessed and brought two complaints, against the individual employee and against the financial institution, his employer. The decision (only available in French) provides more details on the facts of the case.

What is the legal and regulatory context?

The European Data Protection Board (EDPB) discusses an organization’s liability for an employee’s actions in Opinion 7/2020. The EDBP says that an employee using data for their own purposes bears responsibility for this unauthorised use of personal data. The Belgian DPA confirmed that the employee would be liable for his unauthorized use of the credit register data. 

The DPA also found that the organization should have implemented appropriate technical and organisational measures to prevent unauthorised data use by employees. The responsibility to implement appropriate controls is set out in Articles 5(f) and 24 of the GDPR.

What does it mean for organizations?

Unauthorized access to personal data can have a significant impact on your business. The Belgian DPA decision highlights the need for organizations to manage employee access to personal data. We see two main ways organizations can do this in a scenario like the one in the Belgian case: access controls with approval workflows, and logging. 

Data access request and approval workflows
In this example, it appears that the employee had unrestricted access to query the credit data. Access request and approval workflows could require employees to request permission to access data, including information on the purpose of their request. Some aspects of these controls could be automated, for instance if an employee requests access to information relating to person X, a control system could check whether person X is a client or prospective client of the financial institution. That simple check could have prevented the unauthorised access in this case.

Logging access to data enables audits, reinforces accountability and can deter unauthorized data use. An employee may be less likely to misuse data if they know that their actions are being monitored. Logging data use also supports your obligation to maintain a record of processing activities, as required under Article 30 of the GDPR. In the Belgian example, comprehensive access logs would have raised the alarm about the employee’s behaviour.

The Belgian DPA’s decision highlighted the lack of technical and organisational measures both to limit unjustified access to data and to enable traceability after the fact. The DPA underlined the need to take GDPR requirements into account when designing internal procedures, for example the existence and effectiveness of processes for controlling access to data. The approvals and logging processed described above meet those requirements.

In some cases, de-identification will also be relevant. De-identification helps to ensure that employees only have access to the specific data they need. For example, redaction or generalization can transform a full date of birth into just a month and year of birth or into an age range (e.g. 40 – 45). Using generalized or redacted information in cases where it is sufficient supports data minimisation, helps to protect privacy and limits the scope for an employee to misuse data. Other Privacy Enhancing Technologies (PETs) such as tokenization, perturbation or encryption may also be relevant. Choosing the “right” combination of PETs, and other controls, will depend on the specific use case.

Want to learn more about how Privitar enables scalable and flexible data privacy execution and management? Download this data sheet, or request a demo with one of our privacy experts.