It took a while. I expected GDPR to hit sooner and I expected the authorities to go after non-European companies. I was wrong in both cases.
1&1 – a German telco – just got hit with a significant fine for GDPR violations: € 9.55 Mio. The case is very interesting to me, especially if you read the original release by the German Data Protection Authority: BfDI verhängt Geldbußen gegen Telekommunikationsdienstleister.
A telco as a real challenge (I know that from my past): When you – as a customer – call the help desk and want help, the person at the help desk basically needs access to your whole telco life: Where you have been, whom you called etc. This is the case as you might have a question about your bill, problems with calls etc. How do you protect this data while giving full access? We had pretty strict controls (technical and organizational) and were very strict if somebody violated them.
Now, it seems that the processes applied by 1&1 were not sufficient from the perspective of the German Data Protection Commissioner. At least it seems that they are ready and willing to apply GDPR.
An English version of the article can be found here: 1&1 hit with million-euro GDPR fine
Will be interesting to see how this develops.