The biggest GDPR penalties for noncompliance

In the months leading up to the launch of the European Union’s General Data Protection Regulation (GDPR), experts warned organizations about the stricter regulations and higher noncompliance penalties that would be coming. The first year after GDPR launched on May 25, 2018, the enforcement of data privacy and penalties for infringements did not live up to the hype.

“Compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult,” the Software Development Times wrote. But that didn’t last for long. Fast-forward to today and GDPR penalties have been coming in fast and furious.

The significant increase of GDPR fines issued in 2020

From May 2018 to January 2020, the total reported GDPR fines were $139 million—an amount that DLA Piper noted was low. But, things started changing in 2020 and Forrester made a prediction about the compliance landscape and said, “GDPR enforcement is on fire.”

It turns out they were correct. The number of total reported fines more than doubled to $332 million by January 2021. Additionally, there has been a significant increase in breach notifications with an average of 331 notifications per day in 2020. Organizations are realizing that GDPR penalties are serious and making a strong effort to avoid noncompliance fines.

What are the GDPR fines and penalties?

There are two tiers of GDPR fines that regulators adhere to. The severity of an organizations’ GDPR infringements will determine which tier they fall under—though both tiers are designed to ensure that noncompliance is a costly mistake for businesses.

Lower-tier fines

A lower-level GDPR violation can result in fines of up to $11.03 million or two percent of the company’s annual revenue, whichever is greater.

Higher-tier fines

A more severe violation can result in a fine up to $22.07 million or four percent of the company’s annual revenue, whichever is greater.

These are hefty fines that can impact an organization of any size if they are found to be in violation of the GDPR.

How are GDPR fines calculated? 10 criteria to consider

According to Christian Wigand, a spokesman for the European Commission, GDPR fines are determined based on several factors and administered by the data protection regulator in each EU country. The ten criteria that are typically used to assess a GDPR violation and determine the amount of a fine includes:

1. Gravity and nature

This criteria looks at the overall picture—what happened, how did it happen, and why did it happen? It also takes into account the number of people affected, damages suffered, and how long the violation took to resolve.

2. Intention

Was the violation intentional or a result of negligence?

3. Mitigation

Did the organization at fault make any attempts to alleviate the damage suffered by people affected by the violation?

4. Precautionary measures

Did the organization have any safeguards, privacy policies, or protections in place for GDPR compliance? Regulators will look at this from both an organizational and technical standpoint.

5. History

Does the organization have a history of noncompliance? Have they had any previous GDPR violations and if so, what was the severity and frequency of past violations?

6. Cooperation

Was the organization cooperative during the discovery and remedy of the GDPR violation? Or was there friction?

7. Data category

What type of personal data the violation affects. Was it sensitive information, and what was the level of sensitivity?

8. Notification

Did the organization proactively report the violation to the supervisory authority? Or was there unreasonable delay?

9. Certification

Whether or not the organization followed approved codes of conduct or was previously certified.

10. Aggravating/mitigating factors

This criteria pertains to any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the violation.

The 4 largest GDPR noncompliance fines

The increase in GDPR enforcement is best illustrated with four of the highest profile fines issued since the data protection regulation took effect.

Google fined $55 million

In January 2019, Google was fined nearly $55 million by the French regulator CNIL for improper disclosure to users on how data is collected for personalized advertisements to users. This consists of data collected across Google’s services including its search engine, Google Maps, and YouTube. The ruling takes aim at Google’s business model, which turns data on users into narrowly targeted ads. In a statement, the regulator said Google’s practices obscured how its services “can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.” To date, this is still the largest penalty issued since the GDPR went live.

Retailer H&M fined $41.5 million

In October 2020, retailer H&M was fined for keeping excessive records on the families, religions, and illnesses of its workforce. Company managers collected sensitive personal data of their employees through informal chats and gossip, and stored that information to be used during work performance evaluations and to make employment decisions. This issue became public after a technical error in which the data on the network drive was accessible to everyone in the company for a few hours. Soon after, the news spread through the press and the Hamburg Commissioner was made aware of this violation.

Telecommunications company TIM fined $33 million

On January 15, 2020, Italian Data Protection Authority Garante issued a $33 million fine to TIM S.p.A. This telecommunications company was found in violation of improper consent, excessive data retention, unlawful data processing and data breaches. TIM commissioned call center companies that made millions of cold calls without proper consent. Some numbers were contacted over 150 times a month, despite being registered in the “opt-out” list.

British Airways fined $26 million

In August 2019, the airline faced a possible fine of $230 million over a September 2018 data breach that leaked customer details, including bank card numbers, expiry dates, and CVV codes in a cyber-attack. The ICO cited poor security arrangements at the airline as a key consideration for the largest GDPR fine this department has issued to date.

In this case, people visiting the British Airways website were diverted to a fraudulent site, where bad actors were able to collect names, billing addresses, email addresses, payment information, and more. The airline later reported that 185,000 additional people who made bookings between April and July may have also been compromised. Eventually, the fine was reduced to $26 million and it was said that “the economic impact of Covid-19” had been taken into account.

Preparing for “Data Breaches” and “Data Privacy Breaches”

The current noncompliance penalties from data protection regulations — both large and small — are just beginning. While the enforcement actions revolve around standard data breaches, the next wave of fines and penalties will target organizations that fail to respect individuals’ privacy rights. This reality creates two types of data breaches that organizations need to prepare for — “data breaches” and “data privacy breaches.”

Data breaches are massive data dumps of multiple people’s data. Data privacy breaches, on the other hand, are based on three noncompliance actions by organizations:

  1. Managing consent: How the organization uses an individual’s data based on his or her consent.
  2. Processing data: How the organization processes an individual’s personal data.
  3. Sharing data: How the organization share an individual’s personal data

The rising number of GDPR noncompliance penalties is sure to force organizations to sit up and take notice — and take the necessary action to shore up their data privacy to prepare for two types of data breaches.

Avoid fines and penalties: how to comply with GDPR

Among the critical remedies for staying in compliance with the GDPR is being able to both delete an individual’s data and to provide reports on what data your organization possesses upon request. As consumers become more aware of privacy laws and their rights, keeping up with these requests will be a crucial area of focus for organizations in the coming year.

These capabilities can only be accomplished if your company can easily access all of its data. This requires data discovery and collection tools that can search your enterprise from emails to endpoints and discover every instance of sensitive data.

Spirion Data Privacy Manager (DPM) gives organizations full visibility of their data, whether it lives on-premise or in the cloud. DPM’s compliance features make it easy for organizations to respond to Subject Rights Requests. Finding all personal data and responding to incoming requests can seem like a daunting task, but Spirion Compliance makes it easy with AI-driven name recognition, automated workflow management, comprehensive tracking dashboards and more.

To see how Spirion can help you become GDPR compliant, watch a demo here.

1