By Tim Rollins
On April 6, 2022, the Danish data protection authority fined Danske Bank 10m DKK, approximately $1.5 million, for violations of the General Data Protection Regulation (GDPR). The fine was levied not for a privacy breach, but for the inability to provide documentation regarding the storage and deletion of personal data across hundreds of systems storing data on millions of people.
Datatilsynet, the Danish data protection authority, fined Danske Bank 10m Danish kroner and reported it to the police for violations of GDPR, with recommendations that the public prosecutors also levy their own fine for the bank’s failure to delete customers’ data from its many internal systems. Notably, Datatilsynet explained the basis for the fine as a failure to “present proper procedures for deleting and storing personal data” in its internal systems.
The investigation began in November 2020 as a result of Danske Bank’s self-reported concerns over its data retention policies and the fact that they may not be fully GDPR compliant. In a public statement from December 2020, the bank explained that despite their efforts beginning in 2016 to become compliant with GDPR, “we currently expect our systems to be compliant by the end of 2021”—three and a half years after the law came into effect.
Danske Bank’s compliance team identified the lack of an organization-wide information records management framework and insufficient data governance as causes for their inability to reach GDPR compliance in a timely manner.
What It Covers
Notably, the fines levied by Datatilsynet and its recommendation for criminal investigation are not in response to the loss or breach of personal data by Danske Bank. In a statement issued in April 2022, Danske Bank stated, “our customers’ data is secure and has been secure all along.” Instead, it was issued on the basis of the bank’s failure to delete customers’ personal data and because, in the words of a Datatilsynet consultant, “it is particularly crucial that you can also document that the deletion actually takes place.”
The 10 million DKK fine, while not nominal, is not especially large, given the scale of other fines issued by European data protection authorities. However, the referral for criminal investigation, and the fact that the infraction was self-reported are worth noting. Despite being aware of its non-compliance in 2018, Danske Bank did not inform the Danish data protection authority until December 2020, 31 months after GDPR came into effect in May 2018.
Data retention and accountability are two aspects taken very seriously by data protection authorities. Many organizations concentrate on compliance when collecting and processing data, but are still weak on the side of data retention and deletion. Implementing solid data deletion processes is burdensome especially where data is not structured or, like in the case of Danske Bank, the organizations uses many IT solutions.
Definitely, the cooperation by Danske Bank with the data protection authority helped to avoid a higher fine. However, GDPR does not contain a principle where self-disclosure avoids a fine.
If not done so far, organizations should focus on solid data retention and data deletion concepts, with data minimization in mind, apply processes for the same, and document application. Companies should also consider the downward flow of data and ensure contractual provisions are in place with processors and subprocessors to protect the data and ensure consistent application of standards. Compared to day of GDPR-entering into force, many software solutions now provide for good data deletion functionalities.
Data Privacy Tip
Learn how to operationalize data retention for your organization in our recent whitepaper, Filling in Your Blind Spots: Implementing a Successful Data Retention Program.