logo

GDPR Fines Issued So Far: Key Takeaways

One year after GDPR took effect, regulators have logged over 89,000 breaches, investigated hundreds of cases, and issued fines exceeding €56 million, led by Google’s €50 million penalty. Enforcement shows that both global corporations and smaller organizations face scrutiny for weak access controls, delayed breach reporting, and failure to inform data subjects. With higher penalties looming, companies must strengthen identity-based access, data governance, and breach response to avoid costly sanctions.

The GDPR at a glance

It has been a year since the General Data Protection Regulation (GDPR) came into effect, following years of discussion about data security fit for the digital age. One of the most stringent regulations to date, the GDPR applies to every business or public body that collects, processes or stores the personal data of EU residents. This includes not just every employer in the EU but every organization anywhere in the world that offers products and services to EU residents, as well as companies that process their personal data on behalf of other organizations. Because of its global reach, the GDPR has led to massive change in personal data protection, both within the EU and beyond.

The European Data Protection Board (EDPB) reports that during the first year since the GDRP went into effect, over 89.000 data breaches were logged and 446 cross-border cases were investigated by data protection authorities. In addition, the European Commission notes that the number of queries and complaints from individuals about the security of their data is rising, which suggests an increasing public awareness about the data protection rights afforded by the GDPR.

Another significant impact of the GDPR is that it helping to reveal how data is processed by internet giants, social media platforms and companies in other industries — a topic people everywhere have a lot of concerns about. For example, in its Annual 2018 report, the Irish Data Protection Commission (DPC) stated that it has opened inquiries into the data-processing activities of a number of multinational internet and technology companies based in Ireland, including Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram.

GDPR non-compliance cases: What we’ve learned

An EDBP report covering the first nine months after the GDPR took effect reveals that regulators in 11 European countries imposed more than 56 million euros in fines. Most of this amount comes from a single sanction — the massive €50 million fine imposed on Google by the French data protection authority.

That is the biggest GDPR fine so far, but it’s difficult to say how long Google will retain that dubious distinction. There are ongoing investigations into several serious data privacy violations, with the fines yet to be announced. One of them is a data breach at British Airways, investigated by the UK’s information commissioner’s office (ICO). Under the GDPR, the company could be fined up to 4% of its global annual turnover, which would be a fine of €560 million — an order of magnitude larger than Google’s penalty.

There also have been numerous enforcements involving smaller organizations with much lower fines . That suggests that authorities largely regarded the first year as a transition period for alerting companies and supporting them on their way to GDPR compliance, rather than chasing down every infringement and imposing maximum penalties.

Nevertheless, a number of organizations have already been slapped with significant GDPR fines. Here are some of their stories:

Failure to implement appropriate technical and organizational controls

Who: Centro Hospitalar Barreiro Montijo (a Portuguese hospital)

When: July 2018

How much: €400.000

 Violation: The hospital had 689 users associated with “doctor” profiles that granted excessive access rights, even though there were only 296 doctors at the hospital. Moreover, all doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. The last time the hospital deactivated user account was in November 2016. The hospital also had no documentation explaining user access rights, and no documents defining the rules for creating users of its information system.

Key takeaways:  Article 25 of the GDPR requires organizations to implement appropriate technical and organizational measures for ensuring that sensitive data is processed properly and is accessible only to the appropriate people. Here are the most important steps to take:

  • Determine what sensitive data you have and who has access to it. Using an automated data classification solution will help you separate the most critical assets from less sensitive data.
  • Find GDPR-regulated data that is overexposed. Minimize account privileges based on the requirements of the tasks or job. Perform periodic access reviews to ensure that the principle of least privilege is being adhered to.
  • Make sure that all regulated data is stored in a secure location according to its value and sensitivity.
  • Keep your security controls updated and be ready to provide evidence that your company is processing personal data securely.

Failure to report a data breach

 Who: UAB MisterTango (Lithuanian payment service provider)

When: May 2019

How much: €61.500

Violation: One of the latest stories is about a company that failed to report a personal data breach that happened July 9–10, 2018. During that 2-day period, payment data was publicly available on the internet due to inadequate technical and organizational measures. The data involved 12 banks from different countries and 9,000 payment transactions. The company also violated the GDPR when it accessed and collected more personal data than necessary for execution of payments. The company also stored GDPR-regulated data much longer than necessary — 216 days instead of 10 minutes.

Key takeaways: The penalty in this case demonstrates that GDPR regulators take failure to notify them about a data breach very seriously, especially when the breach involves financial information. Organizations need to have all the necessary controls in place to detect, report and investigate personal data breaches. Consult with your legal advisor about Articles 33 and 34 if you are not sure about the steps for correct data breach notification and when they apply.

To ensure you collect and retain only the minimum information you need for your business processes, you should develop a retention policy that clearly indicates how long to keep each type of data and what to do with it (such as delete or archive it) once you no longer need it or can no longer legally keep it.

Failure to inform individuals that their data would be processed

 Who: Unnamed data controller in Poland

When: March 2019

How much: €200.000

Violation: Under the GDPR, individuals have a right to be informed about the collection and use of their personal data. The organization in this case did properly inform the 90,000 people in their customer base whose email addresses they had — but it did not directly contact the other 6 million people for whom they didn’t have email addresses, citing high operational costs. Instead, the organization chose to present the information about data collection and use on its website.

Key takeaways: Regulators found this approach insufficient, noting that the company had other contact details, such as phone numbers and physical addresses, that it could have used to directly contact customers. The regulators also deemed the infringement intentional because the company was aware of the obligation to directly inform individuals and there was no attempt or even a declared intention to end the infringement.

This recent decision suggests that leniency in GDPR enforcement is over. The company violated key requirements of the law regarding proper handling of personal data and was slapped with a steep fine.

The GDPR’s influence on regulatory systems outside the EU

Since the GDPR came into effect, we have seen similar laws enacted around the world. According to the United Nations Conference on Trade and Development (UNCTAD), over 100 countries now have data protection laws in place. Brazil’s new regulation even has a similar name: General Data Protection Law (GDPL). Over the next few years, we expect to see more enforcement regarding international data exchanges.

The EU is working to introduce the ePrivacy Regulation, which will replace ePrivacy Directive 2002/58/EC (the “Cookie Law”) and complement the GDPR by regulating privacy with respect to electronic communication services, including the use of metadata and cookies.

Data privacy is also being addressed in the U.S. For instance, the California Consumer Privacy Act (CCPA), which has a lot in common with the GDPR, comes into effect on January 1, 2020. Massachusetts is upgrading its data breach law to include new requirements for businesses that collect the personal data of state residents, and Oregon is working on amendments to strengthen cybersecurity laws for organizations that suffer a data breach.

What experts say about the impact of the GDPR

We asked several experts how the GDPR has impacted businesses, and here is what they said:

Douglas Crawford, digital privacy expert, ProPrivacy.com

Arguably the biggest win is that GDPR has forced companies to think carefully about user consent and users’ right to privacy. In reality, it will take some years for the full benefit to consumers to become apparent, but the final result should benefit ordinary internet users everywhere. Because taking a two (or more) tiered approach to user privacy is wildly impractical, companies have been forced to extend the privacy benefits of GDPR to all their customers, regardless of whether or not they live in the EU.

Although the first year has been dubbed a “transition year,” GDPR has so far achieved notable success when it comes to data breach reporting. Within the EU, such reports almost doubled in the first eight months since GDPR was introduced. This is likely to put pressure on the U.S. government to institute similar laws on a federal level, rather than relying on an inefficient morass of state-level legislation that results in low levels of self-reported data breaches.

European regulators are likely to take a more muscular approach to enforcement of GDPR in the coming years. It makes sense to start with cleaning up their own backyard, but once this is done, it is almost certain the regulators will turn their attention more fully onto international firms who do business in Europe.

Monica Eaton-Cardone, co-founder and COO, Chargebacks911

As a global entrepreneur, I’ve noticed that many companies have hired lawyers to assist with their data. When GDPR came into effect, people became more aware of the importance of protecting their data.

Although GDPR helped some businesses grow, there were thousands of complaints with regards to the lack of proper transparency, which wasn’t a surprise. After all, at the time GDPR went live, few merchants had the infrastructure in place to parse data with as much detail as GDPR demands, and few do even now.

Communication between data subjects could change over time to help secure our privacy for the years to come. However, it’s yet to be seen how that will impact fraud in the long term, as we may have increasingly limited access to consumer data.

Simon Fogg, data privacy expert and legal analyst, Termly.io

U.S. companies are now considerably more cautious when targeting customers in the EU. Even though the GDPR came into effect over a year ago, over 1,000 major US publications are still unavailable to EU users — either because those publications never finalized their compliance efforts or because they felt their European customer base wasn’t large enough to justify the necessary (and costly) changes. U.S. companies used to cast a wide net in their data collection practices, but the GDPR has forced many to navigate data boundaries with increased vigilance.

We should expect the number of fines levied for GDPR noncompliance to skyrocket. Although few notable penalties have been issued so far, regulators are still dealing with a large backlog of data breaches. Once they catch up, they will begin to wield their authority with greater force, and companies in the U.S. are likely to be among those hit.

Sweeney Williams, vice president of security, privacy & compliance, Vision Critical

Prior to GDPR, U.S. companies with no physical presence in Europe could operate with little or no regard to EU privacy requirements, since the reach of enforcement was limited and potential fines were low. The GDPR has forced U.S. companies not only to take notice of EU requirements, but to actively enact and enforce those requirements in their own operations, often at great expense. Thousands of companies have hired data protection officers, created complex data flow maps, implemented data subject access processes across dozens of disconnected applications, and made significant upgrades to their data security and privacy operations. On the other hand, a number of U.S.-based companies have chosen to shut down operations that were either located in the EU or were providing products and services to the EU, believing that the cost of lost revenue would be lower than the cost of compliance and potential fines. Some have even gone so far as to block European IPs from connecting to their websites.

The single most significant and beneficial impact of GDPR, both within and outside of the U.S., has been its influence on the public, due to the strong data subject access and transparency rights it features. While the underlying concepts contained in GDPR are not new, awareness of data privacy rights has skyrocketed as a result of the unprecedented amount of press the regulation has generated since its introduction. Individuals now expect to receive the same level of transparency, data access and control rights as those contained in GDPR, and regulators around the world are facing significant pressure from their constituents to enact GDPR-like data privacy legislation in their own countries. In the U.S. specifically, the rate of newly proposed data privacy regulations is at an all-time high and is likely to culminate in the creation of the first-ever U.S. federal privacy law, which some deemed impossible just a few short years ago.

Aki Estrella, privacy advisor, Stellae Legal and Risk Advisors

Mostly, GDPR has changed how companies deal with information and the way they plan for its use. Segregating information, sending notices and training employees/departments to respond to requests from EU citizens have been the most ordinary impacts; however, as we’ve seen, a few companies haven’t quite gotten things right and are dealing with the staggering fines associated with the GDPR. I don’t see any scale-back of companies using data or selling to the EU (or the UK, which passed its own data regulation that is nearly identical).

FAQ

What is GDPR in cyber security?

GDPR (General Data Protection Regulation) in cybersecurity represents a comprehensive framework that mandates specific technical and organizational measures to protect personal data from cyber threats and unauthorized access. From a cybersecurity perspective, GDPR requires organizations to implement data protection by design and by default, meaning security controls must be built into systems from the ground up rather than added as an afterthought. Key cybersecurity requirements include encryption of personal data in transit and at rest, robust access controls that limit data access to authorized personnel only, regular security assessments and penetration testing, and incident response procedures that enable breach notification within 72 hours. GDPR also mandates pseudonymization techniques, secure data backup and recovery procedures, and comprehensive audit trails that track who accessed what data when. For identity and access management, GDPR requires organizations to implement strong authentication mechanisms, regular access reviews, and automated provisioning and deprovisioning to prevent unauthorized data access. The regulation’s “privacy by design” principle means cybersecurity isn’t just about compliance – it’s about building resilient systems that protect personal data as a fundamental design requirement.

Who does GDPR apply to?

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is physically located – this means US companies, Asian businesses, and organizations worldwide can all fall under GDPR jurisdiction. The regulation covers two types of entities: data controllers (who determine the purposes and means of processing personal data) and data processors (who process data on behalf of controllers). Your organization is subject to GDPR if you offer goods or services to EU residents, monitor the behavior of EU residents online, or handle EU employee data in multinational companies. Even if your business has no physical presence in the EU, activities such as running targeted advertisements to EU users, processing EU customer orders, or tracking EU website visitors through cookies can trigger GDPR obligations. The key factor is the processing of personal data – any information that can identify an EU resident, including names, email addresses, IP addresses, location data, or online identifiers. Small businesses aren’t exempt if they meet these criteria, though some processing activities may qualify for exemptions. For identity management professionals, this means that any system storing EU personal data requires GDPR-compliant access controls, audit trails, and data subject rights capabilities regardless of your organization’s geographic location.

What is GDPR compliance?

GDPR compliance means implementing comprehensive data protection measures that meet all requirements of the General Data Protection Regulation, going far beyond simple privacy policies to encompass technical safeguards, organizational procedures, and individual rights protection. True compliance requires a multi-layered approach including lawful basis determination for all data processing activities, data protection impact assessments for high-risk processing, appointment of Data Protection Officers where required, and implementation of data subject rights including access, rectification, erasure, and portability. Technical compliance measures include encryption, pseudonymization, access controls, audit logging, and data minimization practices that ensure you collect and retain only the personal data necessary for specified purposes. Organizational compliance involves staff training, policy development, vendor management, and breach response procedures that can meet the 72-hour notification requirement. From an identity management perspective, GDPR compliance means implementing role-based access controls, regular access reviews, automated user lifecycle management, and comprehensive audit trails that can demonstrate compliance during regulatory investigations. Compliance isn’t a one-time achievement but an ongoing process requiring regular assessments, policy updates, and continuous monitoring to maintain protection standards as your business and regulatory landscape evolve.

How to conduct GDPR compliance audit?

A GDPR compliance audit requires systematic evaluation of your data processing activities, technical safeguards, and organizational procedures to identify gaps and ensure regulatory alignment. Start with data mapping to create a comprehensive inventory of personal data your organization collects, processes, stores, and shares. This includes identifying data sources, processing purposes, legal bases, retention periods, and third-party sharing arrangements. Evaluate technical controls including access management systems, encryption implementations, backup procedures, and security monitoring capabilities to ensure they meet GDPR’s “appropriate technical measures” requirement. Review organizational measures including staff training programs, data protection policies, vendor agreements, and incident response procedures to verify they support GDPR obligations. Assess data subject rights implementation by testing your ability to respond to access requests, rectification demands, and erasure requirements within mandated timeframes. Examine documentation practices to ensure you can demonstrate compliance through records of processing activities, data protection impact assessments, and breach incident logs. For identity management systems, audit user access controls, privileged account management, access review processes, and audit trail completeness to ensure you can track who accessed what personal data when. Document all findings with clear remediation priorities, implementation timelines, and responsibility assignments. Regular audits should occur at least annually or after significant system changes, with continuous monitoring for high-risk data processing activities.

GDPR implementation checklist for identity management?

GDPR implementation for identity management requires systematic deployment of access controls, audit capabilities, and data subject rights support that protect personal data throughout its lifecycle. Begin with access control framework implementation: establish role-based access controls that enforce least privilege principles, implement strong authentication mechanisms including multi-factor authentication for sensitive data access, and deploy automated provisioning and deprovisioning to ensure timely access changes when employees join, move, or leave. Implement comprehensive audit logging that captures who accessed what personal data when, with tamper-proof log storage and regular log analysis to detect unauthorized access attempts. Deploy data discovery and classification tools to identify where personal data resides across your environment, then implement access controls that restrict personal data access to authorized roles only. Establish data subject rights fulfillment capabilities including automated search and retrieval for access requests, secure data modification procedures for rectification requests, and reliable data deletion processes for erasure requests. Configure data retention policies that automatically purge personal data when legal retention periods expire, with exception handling for legal hold requirements. Implement privacy-preserving techniques including pseudonymization for development and testing environments, encryption for personal data at rest and in transit, and data minimization controls that prevent excessive personal data collection. Create incident response procedures specifically for identity-related data breaches, including rapid containment, impact assessment, and regulatory notification capabilities. Document all identity management procedures, conduct regular access reviews, and establish ongoing monitoring to ensure sustained GDPR compliance as your identity infrastructure evolves.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.