Recently H&M have been given a fine of 35 milion euros plus small change from the Data Protection Authority in Hamburg (in Germany there are federal data protection authorities) for unusually intrusive processing of employee personal data. This included “excessive” records on the families, religions and health of its workers which fed into HR management decisions.

The practices at H&M came to light when the regulator started to investigate a security breach at one of its service centres in Germany in October 2019.  It is reported that H&M cooperated with the investigation and has since apologised to employees and paid compensation. It also introduced changes to how personal data is managed and how data protection compliance is controlled at the organisation.  Still it landed a hefty fine at this very difficult time for many businesses.

The case illustrates how systemic failures in data protection compliance can be unearthed during the investigation of a complaint or breach of data protection.

It is so important to ensure that local problems do not highlight systemic failures.  Accountability means having a compliance framework in place.  Key elements of that framework are:

  • Designating roles and responsibilities
  • Having appropriate policies and procedures in place
  • Training colleagues including signposting the policies and procedures
  • Compliance checking on a continuing basis

These key elements will firstly help to prevent rogue data processing activity and secondly help to establish a defence for the organisation should a rogue element come to light.  It is not rocket science, it is compliance management.  If there is insufficient skill or resource to manage data protection compliance, outsource it.

At Data Protection Consulting we are passionate about data protection and we have the skills and knowhow to implement a compliance programme to keep your business up to date with changes in data protection law and practice.

Mandy Webster, Data Protection Consultant, Data Protection Consulting