The biggest GDPR penalties for noncompliance

In the months leading up to the launch of the European Union’s General Data Protection Regulation (GDPR), experts warned organizations about the stricter regulations and higher noncompliance penalties that would be coming. The first year after GDPR launched on May 25, 2018, the enforcement of data privacy and penalties for infringements did not live up to the hype.

“Compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult,” the Software Development Times wrote. But that didn’t last for long. Fast-forward to today and GDPR penalties have been coming in fast and furious.

The current state of GDPR fines

From May 2018 to January 2020, the total reported GDPR fines were $139 million—an amount that DLA Piper noted was low. But, things started changing in 2020 and Forrester made a prediction about the compliance landscape and said, “GDPR enforcement is on fire.”

It turns out they were correct. The number of total reported fines more than doubled to $332 million by January 2021. Additionally, there has been a significant increase in breach notifications with an average of 331 notifications per day in 2020. Organizations are realizing that GDPR penalties are serious and making a strong effort to avoid noncompliance fines.

GDPR penalties for noncompliance have increased, and big tech companies have seen major fines imposed. However, no fines have reached the maximum penalty of 4% of global revenue. Even still, demands for accountability and calls for a U.S. version of GDPR have increased, keeping data privacy and protection at the forefront of security discussions.

What are the GDPR fines and penalties?

There are two tiers of GDPR fines that regulators adhere to. The severity of an organizations’ GDPR infringements will determine which tier they fall under—though both tiers are designed to ensure that noncompliance is a costly mistake for businesses.

Lower-tier fines

A lower-level GDPR violation can result in fines of up to $11.03 million or two percent of the company’s annual revenue, whichever is greater.

Higher-tier fines

A more severe violation can result in a fine up to $22.07 million or four percent of the company’s annual revenue, whichever is greater.

These are hefty fines that can impact an organization of any size if they are found to be in violation of the GDPR.

How are GDPR fines calculated?

According to Christian Wigand, a spokesman for the European Commission, GDPR fines are determined based on several factors and administered by the data protection regulator in each EU country. The ten criteria that are typically used to assess GDPR penalties and fines include:

1. Gravity and nature

What happened, how did it happen, and why did it happen? This step of the process takes into account the entire incident. It also considers the number of people affected, damages suffered, and how long the violation took to resolve.

2. Intention

Was the violation intentional or a result of negligence?

3. Mitigation

Did the organization at fault make any attempts to alleviate the damage suffered by people affected by the violation?

4. Precautionary measures

Did the organization have any safeguards, privacy policies, or protections in place for GDPR compliance? Regulators will look at this from both an organizational and technical standpoint.

5. History

Does the organization have a history of noncompliance? Have they had any previous GDPR violations and if so, what was the severity and frequency of past violations?

6. Cooperation

Was the organization cooperative during the discovery and remedy of the GDPR violation? Or was there friction?

7. Data category

What type of personal data the violation affects. Was it sensitive information, and what was the level of sensitivity?

8. Notification

Did the organization proactively report the violation to the supervisory authority? Or was there an unreasonable delay?

9. Certification

Whether or not the organization followed approved codes of conduct or was previously certified.

10. Aggravating/mitigating factors

This criteria pertains to any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the violation.

The three largest GDPR noncompliance fines

The increase in GDPR enforcement is best illustrated with four of the highest profile fines issued since the data protection regulation took effect.

Amazon fined $823.9 million

In 2021, it was determined that Amazon’s Luxembourg EU headquarters was processing personal data in violation of GDPR rules and the company was issued the largest GDPR non-compliance penalty to date. However, details around the ruling are scarce. Amazon has chosen to appeal the decision and has released a statement claiming that there has been no data breach or customer data exposure to a third party.

WhatsApp fined $247 million

In August 2021, Irish regulators issued a $247 million fine to WhatsApp regarding the company’s lack of transparency on data handling. Following a multi-year investigation, regulators determined that a lack of clarity existed in WhatsApp’s legal notices and the notices failed to provide users with clear information about how their data was being used by the company. As a result of the fine, WhatsApp rewrote its European privacy policy to provide more detail about how data is collected and stored.

Google Ireland fined $99 million

In December 2021, Commission Nationale de l’Informatique et des Libertés (CNIL) fined Google $99 million for its failure to provide users with adequate measures to refuse tracking cookies on and YouTube. By requiring several clicks to refuse cookies but only one click to accept cookies, CNIL found Google to be in violation of GDPR by affecting the freedom of consent of users by means of complicating the refusal process. The committee also noted that Google had previously been alerted of this infringement and failed to take action.

Preparing for data and privacy breaches

The current GDPR noncompliance penalties from data protection regulations — both large and small — are just beginning. While the enforcement actions revolve around standard data breaches, the next wave of fines and penalties will target organizations that fail to respect individuals’ privacy rights. This reality creates two types of data breaches that organizations need to prepare for — “data breaches” and “data privacy breaches.”

Data breaches are massive data dumps of multiple people’s data. Data privacy breaches, on the other hand, are based on three noncompliance actions by organizations:

  1. Managing consent: How the organization uses an individual’s data based on his or her consent.
  2. Processing data: How the organization processes an individual’s personal data.
  3. Sharing data: How the organization share an individual’s personal data

The rising number of GDPR penalties for noncompliance is sure to force organizations to sit up, take notice, and take necessary actions to shore up their data privacy to prepare for two types of data breaches.

How to avoid fines and penalties and comply with GDPR

Among the critical remedies for staying in compliance with the GDPR is being able to both delete an individual’s data and to provide reports on what data your organization possesses upon request. As consumers become more aware of privacy laws and their rights, keeping up with these requests will be a crucial area of focus for organizations in the coming year.

These capabilities can only be accomplished if your company can easily access all of its data. This requires data discovery and collection tools that can search your enterprise from emails to endpoints and discover every instance of sensitive data.

Spirion Data Privacy Manager (DPM) gives organizations full visibility of their data, whether it lives on-premise or in the cloud. DPM’s compliance features make it easy for organizations to respond to Subject Rights Requests. Finding all personal data and responding to incoming requests can seem like a daunting task, but Spirion Compliance makes it easy with AI-driven name recognition, automated workflow management, comprehensive tracking dashboards and more.

To see how Spirion can help you avoid GDPR penalties for noncompliance, watch a demo here.