One of Germany’s biggest DSL and mobile service companies has been fined over  EUR9.5 million for GDPR non-compliance.

1 & 1, which is a subsidiary of 1 & 1 Drillisch AG (which has about 14 million customers) and is part of the United Internet Group (which includes 1&1 IONOS), was fined because the BfDI (Germany’s Federal Commissioner for Data Protection and Freedom of Information) discovered that customers calling its call centre could obtain information by providing just their name and date of birth (information that could be easily discovered and stolen). BfDI said this meant that personal information was not properly safeguarded, as per Article 32 of GDPR.

Fining the company EUR9.55 million ($10.6 million) the BfDI said it was for a poor authentication process that failed to use “sufficient technical and organisational measures” to protect customer data. The company said it will appeal the fine. Data protection officer Julia Zirfas contended that the firm considered the fine to be “disproportionate”.

BfDI acknowledged that 1 & 1 had been cooperative and had since remedied the problem by adding an extra authentication step. But despite the size of the fine, the regulator said this was relatively low in recognition of 1 & 1’s cooperation – suggesting much higher fines were in the pipeline for those found non-compliant in future.

In a sign that the BfDI was toughening its stance on non-compliance, it also fined ISP Rapidata EUR10,000 ($11,100) for having no data protection officer in place, which is another requirement of GDPR.

Fining a company is one thing, but getting them to pay up is quite another as the UK’s Information Commissioner has discovered. The ICO recently revealed that it is still owed 30% of the fines it’s handed out for data breaches, spam and nuisance calling since 2015 (totalling 42% of the value).

While charities and public sector organisations have all paid up, enterprises haven’t.

  • The public sector has the highest number of fines for data breaches (60/110).
  • 84% of the £3.2 million in fines from the claims management industry haven’t been paid.
  • 85% of fines for data breaches have been paid, but only 23% for nuisance calls.

However, in a sign that it too is getting serious about non-compliance, the ICO has recently announced fines of £183 million for British Airways and £99 million for Marriott International, with GDPR giving it the power to levy much higher fines than under the old regime.

Omnisperience’s view

It has now been almost 18 months since GDPR came into force. This move by Germany’s regulator indicates that countries now consider enterprises have had long enough to ensure they’re compliant. This latest news shines a light on how telecoms firms are performing, and with two being fined in a single week in Germany, it reminds other service providers to review their compliance to avoid embarrassing cases such as this.

While there is no suggestion that data has been breached, 1 & 1 is being fined due to the potential for a breach – essentially for having sloppy processes. Even though it acted quickly to fix the problem, the fine was still substantial. Worryingly, BfDI indicated it would have been even higher had the firm not cooperated and rapidly complied.

Telecoms firms are advised to carefully look at their processes to ensure they are compliant or risk further embarrassing and damaging headlines. Many will still not be compliant. According to a study conducted by the European Business Awards and RSM in mid 2019, for example, only 57% of respondents felt confident their firm was currently compliant with GDPR. While a study by Delphix found that in some firms the security officer was actually lying to other board members by assuring them they were compliant when he or she knew the firm was non-compliant.

These are worrying times indeed. We expect more mega fines in 2020 as regulators and information commissioners seek to ensure companies are acting on their duties under GDPR. It is well worth service providers taking the time and trouble to double check compliance by auditing their processes once again.

Posted by Teresa Cottam

Teresa is the Chief Analyst at Omnisperience and has over 25 years' experience in the telecoms and technology markets. She is an expert on SME and enterprise telecoms, and has considerable vertical market expertise. Her research focus lies in helping B2B telecoms firms become more commercially successful by better understanding and meeting their customers' needs. She is a judge of the GSMA Global Mobile Awards (GloMo's) for customer experience and enterprise innovation, and for the UK Cloud awards. You can follow her on Twitter @teresacottam

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s