Avoiding fines is never the primary aim of the support we give our clients. We focus on helping them meet privacy obligations and commitments. However, a recent case demonstrated that a real effort to get things right will help achieve a favourable outcome if something goes wrong.
The Swedish data protection authority (IMY) published the outcome of their inspection and subsequent investigation of Digital Medical Supply Sweden AB (KRY), a provider of video-based health services.
The inspection concluded there were a number of failings in KRY’s compliance with the requirements of the GDPR and Swedish privacy legislation, particularly in respect of ensuring appropriate security of personal data:
- KRY had not completed a needs and risk analysis, meaning it could not show there were security measures in place appropriate to the risks;
- it had not restricted user permissions, so users had access to patient data that was not necessary for them to perform their duties; and
- KRY had not taken sufficient measures to ensure and demonstrate appropriate security for personal data.
The Swedish DPA concluded that these failings in the context of the activities of KRY, the nature of personal data being processed, and the number of records involved would ordinarily give rise to a fine. However, it acknowledged that consideration must be given to whether a fine (and the level of fine), is effective, proportionate, and dissuasive.
In this case KRY had proactively engaged with the Swedish DPA and made real efforts to comply. As a consequence, the Swedish DPA concluded a fine was not proportionate and that instead KRY should simply be required to rectify its processing.
The moral of this story is that making a genuine and concerted effort to comply, and demonstrate accountability, can go a long way in reducing a fine, or even avoiding one, should a problem arise. You can see the full decision (in Swedish), here: https://www.imy.se/globalassets/dokument/beslut/beslut-tillsyn-digital-medical-supply-sweden-di-2019-3845.pdf