Incident detection vendor SecBI found suspicious activity on company devices at one of its clients. Contract with the companys employee union prohibited anyone in the organization from looking at employees personal data. The data indicated possible bad behavior on the part of an employee, but the company did not have sufficient cause to investigate under the terms of the union contract. If there indeed was a data breach, they risked breaking the 72-hour reporting rule by breaching the EU’s General Data Protection Regulation.”]
Source: https://www.csoonline.com/article/3265024/are-you-letting-gdpr-s-privacy-rules-trump-security.html