GDPR Fines Issued So Far: Key Takeaways

The GDPR at a glance

It has been a year since the General Data Protection Regulation (GDPR) came into effect, following years of discussion about data security fit for the digital age. One of the most stringent regulations to date, the GDPR applies to every business or public body that collects, processes or stores the personal data of EU residents. This includes not just every employer in the EU but every organization anywhere in the world that offers products and services to EU residents, as well as companies that process their personal data on behalf of other organizations. Because of its global reach, the GDPR has led to massive change in personal data protection, both within the EU and beyond.

The European Data Protection Board (EDPB) reports that during the first year since the GDRP went into effect, over 89.000 data breaches were logged and 446 cross-border cases were investigated by data protection authorities. In addition, the European Commission notes that the number of queries and complaints from individuals about the security of their data is rising, which suggests an increasing public awareness about the data protection rights afforded by the GDPR.

Another significant impact of the GDPR is that it helping to reveal how data is processed by internet giants, social media platforms and companies in other industries — a topic people everywhere have a lot of concerns about. For example, in its Annual 2018 report, the Irish Data Protection Commission (DPC) stated that it has opened inquiries into the data-processing activities of a number of multinational internet and technology companies based in Ireland, including Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram.

GDPR non-compliance cases: What we’ve learned

An EDBP report covering the first nine months after the GDPR took effect reveals that regulators in 11 European countries imposed more than 56 million euros in fines. Most of this amount comes from a single sanction — the massive €50 million fine imposed on Google by the French data protection authority.

That is the biggest GDPR fine so far, but it’s difficult to say how long Google will retain that dubious distinction. There are ongoing investigations into several serious data privacy violations, with the fines yet to be announced. One of them is a data breach at British Airways, investigated by the UK’s information commissioner’s office (ICO). Under the GDPR, the company could be fined up to 4% of its global annual turnover, which would be a fine of €560 million — an order of magnitude larger than Google’s penalty.

There also have been numerous enforcements involving smaller organizations with much lower fines . That suggests that authorities largely regarded the first year as a transition period for alerting companies and supporting them on their way to GDPR compliance, rather than chasing down every infringement and imposing maximum penalties.

Nevertheless, a number of organizations have already been slapped with significant GDPR fines. Here are some of their stories:

Failure to implement appropriate technical and organizational controls

Who: Centro Hospitalar Barreiro Montijo (a Portuguese hospital)

When: July 2018

How much: €400.000

 Violation: The hospital had 689 users associated with “doctor” profiles that granted excessive access rights, even though there were only 296 doctors at the hospital. Moreover, all doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. The last time the hospital deactivated user account was in November 2016. The hospital also had no documentation explaining user access rights, and no documents defining the rules for creating users of its information system.

Key takeaways:  Article 25 of the GDPR requires organizations to implement appropriate technical and organizational measures for ensuring that sensitive data is processed properly and is accessible only to the appropriate people. Here are the most important steps to take:

  • Determine what sensitive data you have and who has access to it. Using an automated data classification solution will help you separate the most critical assets from less sensitive data.
  • Find GDPR-regulated data that is overexposed. Minimize account privileges based on the requirements of the tasks or job. Perform periodic access reviews to ensure that the principle of least privilege is being adhered to.
  • Make sure that all regulated data is stored in a secure location according to its value and sensitivity.
  • Keep your security controls updated and be ready to provide evidence that your company is processing personal data securely.

Failure to report a data breach

 Who: UAB MisterTango (Lithuanian payment service provider)

When: May 2019

How much: €61.500

Violation: One of the latest stories is about a company that failed to report a personal data breach that happened July 9–10, 2018. During that 2-day period, payment data was publicly available on the internet due to inadequate technical and organizational measures. The data involved 12 banks from different countries and 9,000 payment transactions. The company also violated the GDPR when it accessed and collected more personal data than necessary for execution of payments. The company also stored GDPR-regulated data much longer than necessary — 216 days instead of 10 minutes.

Key takeaways: The penalty in this case demonstrates that GDPR regulators take failure to notify them about a data breach very seriously, especially when the breach involves financial information. Organizations need to have all the necessary controls in place to detect, report and investigate personal data breaches. Consult with your legal advisor about Articles 33 and 34 if you are not sure about the steps for correct data breach notification and when they apply.

To ensure you collect and retain only the minimum information you need for your business processes, you should develop a retention policy that clearly indicates how long to keep each type of data and what to do with it (such as delete or archive it) once you no longer need it or can no longer legally keep it.

Failure to inform individuals that their data would be processed

 Who: Unnamed data controller in Poland

When: March 2019

How much: €200.000

Violation: Under the GDPR, individuals have a right to be informed about the collection and use of their personal data. The organization in this case did properly inform the 90,000 people in their customer base whose email addresses they had — but it did not directly contact the other 6 million people for whom they didn’t have email addresses, citing high operational costs. Instead, the organization chose to present the information about data collection and use on its website.

Key takeaways: Regulators found this approach insufficient, noting that the company had other contact details, such as phone numbers and physical addresses, that it could have used to directly contact customers. The regulators also deemed the infringement intentional because the company was aware of the obligation to directly inform individuals and there was no attempt or even a declared intention to end the infringement.

This recent decision suggests that leniency in GDPR enforcement is over. The company violated key requirements of the law regarding proper handling of personal data and was slapped with a steep fine.

The GDPR’s influence on regulatory systems outside the EU

Since the GDPR came into effect, we have seen similar laws enacted around the world. According to the United Nations Conference on Trade and Development (UNCTAD), over 100 countries now have data protection laws in place. Brazil’s new regulation even has a similar name: General Data Protection Law (GDPL). Over the next few years, we expect to see more enforcement regarding international data exchanges.

The EU is working to introduce the ePrivacy Regulation, which will replace ePrivacy Directive 2002/58/EC (the “Cookie Law”) and complement the GDPR by regulating privacy with respect to electronic communication services, including the use of metadata and cookies.

Data privacy is also being addressed in the U.S. For instance, the California Consumer Privacy Act (CCPA), which has a lot in common with the GDPR, comes into effect on January 1, 2020. Massachusetts is upgrading its data breach law to include new requirements for businesses that collect the personal data of state residents, and Oregon is working on amendments to strengthen cybersecurity laws for organizations that suffer a data breach.

What experts say about the impact of the GDPR

We asked several experts how the GDPR has impacted businesses, and here is what they said:

Douglas Crawford, digital privacy expert, ProPrivacy.com

Arguably the biggest win is that GDPR has forced companies to think carefully about user consent and users’ right to privacy. In reality, it will take some years for the full benefit to consumers to become apparent, but the final result should benefit ordinary internet users everywhere. Because taking a two (or more) tiered approach to user privacy is wildly impractical, companies have been forced to extend the privacy benefits of GDPR to all their customers, regardless of whether or not they live in the EU.

Although the first year has been dubbed a “transition year,” GDPR has so far achieved notable success when it comes to data breach reporting. Within the EU, such reports almost doubled in the first eight months since GDPR was introduced. This is likely to put pressure on the U.S. government to institute similar laws on a federal level, rather than relying on an inefficient morass of state-level legislation that results in low levels of self-reported data breaches.

European regulators are likely to take a more muscular approach to enforcement of GDPR in the coming years. It makes sense to start with cleaning up their own backyard, but once this is done, it is almost certain the regulators will turn their attention more fully onto international firms who do business in Europe.

Monica Eaton-Cardone, co-founder and COO, Chargebacks911

As a global entrepreneur, I’ve noticed that many companies have hired lawyers to assist with their data. When GDPR came into effect, people became more aware of the importance of protecting their data.

Although GDPR helped some businesses grow, there were thousands of complaints with regards to the lack of proper transparency, which wasn’t a surprise. After all, at the time GDPR went live, few merchants had the infrastructure in place to parse data with as much detail as GDPR demands, and few do even now.

Communication between data subjects could change over time to help secure our privacy for the years to come. However, it’s yet to be seen how that will impact fraud in the long term, as we may have increasingly limited access to consumer data.

Simon Fogg, data privacy expert and legal analyst, Termly.io

U.S. companies are now considerably more cautious when targeting customers in the EU. Even though the GDPR came into effect over a year ago, over 1,000 major US publications are still unavailable to EU users — either because those publications never finalized their compliance efforts or because they felt their European customer base wasn’t large enough to justify the necessary (and costly) changes. U.S. companies used to cast a wide net in their data collection practices, but the GDPR has forced many to navigate data boundaries with increased vigilance.

We should expect the number of fines levied for GDPR noncompliance to skyrocket. Although few notable penalties have been issued so far, regulators are still dealing with a large backlog of data breaches. Once they catch up, they will begin to wield their authority with greater force, and companies in the U.S. are likely to be among those hit.

Sweeney Williams, vice president of security, privacy & compliance, Vision Critical

Prior to GDPR, U.S. companies with no physical presence in Europe could operate with little or no regard to EU privacy requirements, since the reach of enforcement was limited and potential fines were low. The GDPR has forced U.S. companies not only to take notice of EU requirements, but to actively enact and enforce those requirements in their own operations, often at great expense. Thousands of companies have hired data protection officers, created complex data flow maps, implemented data subject access processes across dozens of disconnected applications, and made significant upgrades to their data security and privacy operations. On the other hand, a number of U.S.-based companies have chosen to shut down operations that were either located in the EU or were providing products and services to the EU, believing that the cost of lost revenue would be lower than the cost of compliance and potential fines. Some have even gone so far as to block European IPs from connecting to their websites.

The single most significant and beneficial impact of GDPR, both within and outside of the U.S., has been its influence on the public, due to the strong data subject access and transparency rights it features. While the underlying concepts contained in GDPR are not new, awareness of data privacy rights has skyrocketed as a result of the unprecedented amount of press the regulation has generated since its introduction. Individuals now expect to receive the same level of transparency, data access and control rights as those contained in GDPR, and regulators around the world are facing significant pressure from their constituents to enact GDPR-like data privacy legislation in their own countries. In the U.S. specifically, the rate of newly proposed data privacy regulations is at an all-time high and is likely to culminate in the creation of the first-ever U.S. federal privacy law, which some deemed impossible just a few short years ago.

Aki Estrella, privacy advisor, Stellae Legal and Risk Advisors

Mostly, GDPR has changed how companies deal with information and the way they plan for its use. Segregating information, sending notices and training employees/departments to respond to requests from EU citizens have been the most ordinary impacts; however, as we’ve seen, a few companies haven’t quite gotten things right and are dealing with the staggering fines associated with the GDPR. I don’t see any scale-back of companies using data or selling to the EU (or the UK, which passed its own data regulation that is nearly identical).

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.