Barreiro Montijo hospital in Portugal is facing a huge fine for violating the General Data Protection Regulation. The local data protection authority, CNPD, has imposed the first significant fine of € 400,000.
Unauthorized access to personal data
The hospital allowed technicians to view sensitive patient data in the IT system that should only have been accessible to physicians. Furthermore, a total of 985 active users were registered as “physicians” in the system, even though only 296 physicians actually worked in the hospital in 2018.
How it works: GDPR-compliant permission management
It is not possible to meet the requirements of the DSGVO without a structured permission management strategy. We therefore recommend taking the following measures:
- Avoid uncontrolled growth: Set up an authorization concept for internal and external users. Define any relevant systems, user groups and authorization levels. Ask yourself: Do your users only have the specific permissions they actually need to carry out their jobs?
- Establish processes that help you implement your authorization concept in day-to-day business (for instance, a controlled process for disabling permissions when a user switches departments or leaves the company).
- Strictly document all permissions so that you can always trace – even after years – who had access to which personal information and when.
Use tenfold to comply with GDPR requirements
With tenfold, you can put the relevant access rights into place to help ensure that personal data are always protected from wrongful and unlawful use. Reduce permissions to a minimum and prevent data theft or misuse due to incorrectly assigned access rights.
Sign up for our free webinar now and find out how tenfold can help you to implement and comply with the GDPR’s requirements for permission management.