March 4, 2020
After a Slow Start, GDPR Non-Compliance Penalties are Now “On Fire”
Part 2 in a 3-part series on preparing for data privacy breaches.
In the months leading up to the launch of the European Union’s General Data Protection Regulation (GDPR), pundits warned organizations about the stricter regulations and higher non-compliance penalties that would be coming.
The first year after GDPR launched on May 25, 2018, the enforcement of data privacy and penalties for infringements didn’t live up to the hype. At the time, the Software Development Times described the privacy regulation’s impact as minimal to that point. “Compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult,” they wrote.
That sentiment was backed up by other reports. A GDPR Data Breach Survey from DLA Piper found that only 91 GDPR fines had been issued as of February 2019.
Fast-forward to today and GDPR penalties are starting to come fast and furiously. Or as Forrester described the compliance landscape in January 2020, “GDPR enforcement is on fire.”
How Much is the GDPR fine?
Under GDPR, fines for organizations that breach the rules can reach up to 20 million Euros (about $21.8 million), or up to 4% of a company group’s annual global turnover, whichever is higher. Even lesser infringements can cost a company 10 million Euros or 2% annual global turnover.
3 Biggest GDPR Fines
The increase in GDPR enforcement is best illustrated with three of the highest profile fines issued since the data protection regulation took effect.
- Google fined $55 million
In January 2019, Google was fined nearly $55 million by the French regulator CNIL for improper disclosure to users on how its data is collected across its services, including its search engine, Google Maps, and YouTube, to present personalized advertisements. The ruling takes aim at Google’s business model, which turns data on users into narrowly targeted ads. In a statement, the regulator said Google’s practices obscured how its services “can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.” At that time, the penalty was the largest since GDPR went live.
- Marriott International fined $123 million
In July 2019, the hotel chain was fined $123 million under GDPR. The hotel group suffered a breach in 2018 that was thought to impact 500 million customers. An unauthorized party compromised its Starwood division’s guest reservation database. Information accessed included payment names, mailing addresses, phone numbers, email addresses, 9.1 million encrypted payment card numbers, 385,000 valid card numbers, and 5.25 million unencrypted passport numbers. This was the highest penalty by GDPR until British Airways fine one month later.
- British Airways fined $230 million
In August 2019, the airline faced a possible fine of $230 million over a September 2018 data breach that leaked the customer details, including bank card numbers, expiry dates, and CVV codes in a cyber-attack. The ICO cited poor security arrangements at the airline as a key consideration for the largest GDPR fine this department has issued to date. In this case, people visiting the British Airways website were diverted to a fraudulent site, where bad actors were able to collect names, billing addresses, email addresses, payment information, and more. The airline later reported that 185,000 additional people who made bookings between April and July may have also been compromised.
Other Notable Data Protection Regulation Fines
The three data privacy regulation penalties for Google, Marriott International, and British Airways are the largest fines from GDPR, but they aren’t the only significant ones. There is a growing range of regulatory fines costing companies significant dollars for not meeting GDPR requirements. On January 21, 2020, Nathan Trust published an updated list of GDPR non-compliance fines from organizations around the world. The compliance management company said, “The various European Supervisory Authorities are increasingly active with more and more enforcement actions every week.”
How Are GDPR Fines Calculated?
GDPR fines are determined based on a number of factors, according to Christian Wigand, a spokesman for the European Commission, such as how the company protected its data, how it reacted to a data breach, and whether it cooperated with the authorities.
According to Information Commissioner Elizabeth Denham, “the law is clear” when it comes to people’s personal data. “When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Preparing for “Data Breaches” and “Data Privacy Breaches”
The current non-compliance penalties from data protection regulations — both large and small — are just beginning. While the current enforcement actions revolve around standard data breaches, the next wave of fines and penalties will target organizations that fail to respect individuals’ privacy rights.
This reality creates two types of data breaches that organizations need to prepare for — “data breaches” and “data privacy breaches.” Data breaches are massive data dumps of multiple people’s data.
Data privacy breaches, on the other hand, are based on three non-compliance actions by organizations:
- Managing consent — how the organization uses an individual’s data based on his or her consent
- Processing data — how the organization processes an individual’s personal data
- Sharing data — how the organization share an individual’s personal data
The rising number of GDPR non-compliance penalties is sure to force organizations to sit up and take notice — and take the necessary action to shore up their data privacy to prepare for two types of data breaches.
How to Comply with GDPR
Among the critical remedies for staying in compliance with the GDPR is being able to both delete an individual’s data and to provide reports on what data your organization possesses upon request.
These two capabilities can only be accomplished if your company can access all of its data. This requires data discovery and collection tools that can search your enterprise from emails to endpoints and discover every instance of sensitive data.
Read Part 3 in this 3-part series for more tips for preparing for data privacy breaches. Or contact Spirion to learn more about GDPR compliance solutions for your company.