A General Data Protection Regulation (GDPR) fine that accompanies a data breach is usually the result of either a threat actor attack or the discovery of a database that is open to the public. The €35,258,707.95 (about $41 million USD) that fashion retailer H&M is on the hook for does not stem from a cloud server misconfiguration, but the massive penalty was levied due to the exposure of something more substantial than customer contact information.
A 2019 data breach revealed that H&M had been creating highly inappropriate profiles of the private lives of some of its employees for at least five years. The company earned the GDPR fine by recording personal information gleaned from one-on-one conversations: religious beliefs, medical conditions and procedures, family issues and details about trips that they took while on vacation among other items. Supervisors at the company’s Nuremberg service center would take note of these details while conversing with employees and then log them in a database that up to 50 other managers had access to.
Largest GDPR fine to date for employee data violations
H&M is the world’s second-largest fashion retailer and employs about 126,000 people in total, but the incident seems to have been limited to the German customer service center which has several hundred employees.
The breach occurred in October of 2019, when a database configuration error made the contents of these files visible to employees across the company’s internal network. In response to the decision, H&M corporate issued a statement claiming that the actions taken at the Nuremberg center were not in line with company policy. The company said that it had made “management personnel changes” at the location, had revised its instructions and training policies for managers, and was implementing new data privacy and auditing processes. The company also apologized to its employees and indicated that some sort of financial compensation would be paid out in addition to the GDPR fine.
The personal information appears to have been collected during informal conversations between employees and supervisors while working on the floor of the center, as well as during “welcome back talks” with team leaders that employees were required to attend after having been absent from work. H&M has not offered an explanation for why this personal data was gathered, but based on the circumstances and the types of information recorded it seems reasonable to speculate that managers were maintaining some sort of “excuse database” to refer to when employees called out of work or requested time off. The investigating data protection authority simply said that the information was gathered “for measures and decisions regarding their employment,” indicating that some of the elements (such as religious faith) might have come into play during promotion or transfer decisions.
The Hamburg State Commissioner for Data Protection and Freedom of Information (HmbBfDI) reviewed some 60 GB of data in addition to interviewing staff at the service center in Nuremberg. HmbBfDI’s determination was that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights” and opted to levy the largest GDPR fine yet seen for an internal breach of employee information.
The pandemic and employee data handling risks
In addition to sending a message to EU companies that GDPR fines will be heavy in cases of internal data breaches that harm employees, the H&M case highlights an issue that is growing during the pandemic. As remote work arrangements increase due to necessity and the line between “workplace” and “home” blurs, organizations find themselves negotiating new data privacy issues and potential liabilities.
Many of the EU’s Data Protection Authorities (DPAs) have issued guidance on the collection of employee personal data during pandemic conditions to help them avoid GDPR fines, including some of the items that were involved in this breach (health data and information about personal travel). Some DPAs are also reporting an increase in data protection requests and complaints from employees that have been laid off or let go during the pandemic, indicating that more companies may be facing the sort of GDPR fines that H&M has if there are any questionable elements lurking on their internal networks.
These potential violations of personal privacy are most often tied to tools that organizations adopt to rapidly scale up remote work capabilities, some of which have not been thoroughly vetted and tested before being deployed. One particularly contentious area is the use of “productivity monitor” tools designed to ensure that the employee is “on the clock” while at home, with some of these tools monitoring the desktop or periodically taking screenshots. Even if the organization does not intend to scoop up any of its employees personal data, these tools often require very high levels of privileged access to devices and may be logging items that are in violation of data privacy laws.
How do organizations avoid monster GDPR fines (along with similar trouble in other areas of the world)? It’s important to map out all data processing activities, ensure that privacy compliance programs are up-to-date with all tools that are being used for remote work, and limit access to any personal data that might fall under the purview of the human resources department.