After one year of enforcement of the GDPR, businesses can learn much from how the provisions of the regulation have been applied and how organizations have been fined.
Enforcement of the General Data Protection Regulation (GDPR) went into effect May 25, 2018. In the approximate span of one year since that date, European data protection authorities confirm that almost 90,000 separate data breach notifications have been received. Note, that’s just the notifications received from organization’s attempting to comply with the GDPR. Those same data protection authorities report that during the same year almost 145,000 complaints and inquiries have been reported by concerned citizens.
While European data protection authorities are less forthcoming regarding the collection of fines levied under the GDPR, several third-party investigations suggest that at least 100 organizations have paid fines for failing to fully comply with the regulation. By analyzing the higher profile fines, business enterprises may be able to glean vital information regarding the future application of the GDPR to their organizations.
SEE: GDPR: A guide for tech and business leaders (free PDF) (TechRepublic)
Lessons learned from GDPR fines at the one-year anniversary
Since May 2018, data protection authorities in Europe have levied several high-profile and high-denomination fines against companies for violating provisions of the GDPR:
In December 2018, a Portuguese hospital was fined 400,000 euros for allowing its staff to use bogus accounts to access patient records. According to the investigation, the hospital had 985 registered doctor profiles while only having 296 actual doctors on staff. While the motive for the violation seemed to be a matter of convenience and not malicious intent, the authorities still ruled that the violation was willful and blatant.
In March 2019, a taxi company in Denmark was fined 1.2 million kroner for storing over nine million records of personal contact information on its information technology systems that it no longer needed. The data should have been deleted after it was no longer needed for regular business purposes, as described by the GDPR, but the company failed to comply.
Lesson 1: It does not matter to the European data protection authorities whether violations of the provisions of the GDPR are unintentional mistakes stemming from neglect, laziness, sloppiness, or ignorance. A violation for any reason is punishable and businesses had better take compliance with the GDPR seriously.
In January 2019, Google was fined 50 million euros by French authorities for collecting personal data from users without providing an adequate level of transparency on how that data would be used to personalize advertisements on the platform. Under the provisions of the GDPR, organizations must get valid consent to use personal data for every specific use of that data—no blanket consents are allowed. Google is appealing the fine.
In March 2019, a Polish data processing company was fined 220,000 euros for scraping the internet for publicly available personal data and then using that data to contact over 90,000 individuals for promotional purposes. A clear and blatant violation of the GDPR, some 12,000 of the contacted individuals complained about the activity.
Lesson 2: Willful, deliberate, and blatant violations of the provisions of the GDPR will receive the harshest of fines from European data protection authorities. Businesses who attempt to test the resolve of the regulatory authorities will pay dearly for their arrogance.
Lesson 3: The provisions of the GDPR, particularly amongst citizens of the EU, are well-known and individuals who feel those provisions have been violated are more than willing to report offending behavior to the data protection authorities. Unscrupulous businesses who count on the ignorance or passiveness of individuals are likely to pay a heavy price for that cynical attitude to personal data security and protection.
SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
One more high-profile fine lends itself to another lesson for businesses:
In November 2018, Knuddels, a German social media company, reported a data breach. The subsequent investigation by the local data protection agency determined the site had been storing user passwords in plaintext without hashing. Knuddels was fined 20,000 euros for not securely storing the personal data of its customers. The fine was relatively low because Knuddels reported the security breach in a timely manner and took immediate steps to mitigate the security problem.
Lesson 4: While serious violations of the provisions of the GDPR are still subject to fines, timely reporting of security breaches to data protection authorities and quick action to reduce the risk of exposure of personal data by violating businesses could reduce levied fines significantly. All businesses handling sensitive personal data should have appropriate security and compliance policies in place to mitigate the risk from GDPR violations.
SEE: GDPR resource kit: Tools to become compliant (Tech Pro Research)
The fines levied by the European data protection authorities during the first year of GDPR enforcement reveal one simple fact: The GDPR is real, enforceable, and applies to every business collecting, storing, and processing sensitive personal data. Compliance is not optional. Businesses risk significant, and possibly going concern ending, fines and penalties for non-compliance.