The General Data Protection Regulation (GDPR) is a relatively new piece of legislation for digital privacy of European Union (EU) citizens that came into effect in May 2018. Simply put it is one of the most stringent data privacy and security laws requiring any organization anywhere in the world to protect data that is collected from people in the EU.
The specifications of GDPR are shifting companies from a mere checkbox compliance attitude to a more comprehensive, holistic approach to managing and protecting personal data. The core philosophy of GDPR is to provide transparency, information and consent regarding personal data, personal information (PI) or personally identifiable information (PII).
Companies may fear upgrading their data management and compliance methodologies, largely due to the misconception that it is too complex and too expensive. However, the fines from GDRP violations have been major news over the last few years costing millions of dollars an euros. You’ll see that it is well worth the investment to improve data compliance measures instead of risking violation.
The legislation states that, “the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.”
According to the DLA Piper GDPR Data Breach Survey, between January 2020 and January 2021,
- Fines for GDPR violations increased by almost 40%.
- GDPR penalties amounted to $191.5 million or €158.5 million.
GDPR isn’t a concern you can put on a back shelf and forget about. Lack of compliance can result in whopping fines and no one is exempt.
Top 3 GDPR Fines from 2020
- British Airways
British Airways was slammed by the ICO with a fine of $26 million in October 2020. This amounts to €22 million. This was for a breach that transpired in 2018. Although this amount is lower than the original $248 million dollar fine, it’s still an enormous amount.
In 2018, a data breach impacted 400,000 British Airways customers with hackers gaining access to PI data such as names and addresses as well as login and payment details. The attack was preventable according to the ICO. However, British Airways lacked adequate security measures to safeguard their networks, systems and ultimately data. Shockingly they didn’t even have multi-factor authentication implemented when the breach occurred. The airline will need to ensure a data-first approach to security with strict data privacy policies and procedures. This will likely require investment in compliance and/or security solutions.
- H&M
Clothing retailer H&M was fined the 2nd largest GDPR fine to date in October 2020. The Data Protection Authority of Hamburg hit the retailer with a massive fine of €35.3 million or $ 42.6 million for the unlawful monitoring of several hundred employees. The same day H&M announced that it would close 250 of its stores worldwide.
When employees returned from sick leave or vacation there was a mandatory workplace-return meeting. Some of these meetings were recorded and later accessible to many H&M managers. Senior management gleaned knowledge of their employees’ private lives spanning family details and religious beliefs. This detailed information was used to evaluate the performance of employees and make decisions pertaining to their jobs.
This was clearly a serious violation. The GDPR stipulates that personal information especially about health and beliefs is not to be processes, unless it is needed for a specific purpose and even then consent is required.
H&M should have ensured stricter access control on such data, and the company should not have used such personal data in making decisions regarding the employment of people.
Even Google was slammed with the highest penalty to date for GDPR violation – a massive amount of nearly $57 million fine. This equates to €50 million. Technically the fine was from 2019, but Google appealed. But in March 2020, their appeal was dismissed and the monumental penalty was enforced.
The issue arose from Google’s handling of personal data, particularly ad personalization. In this case, Google could have avoided the violations by ensuring that users were provided with more information in consent policies. This would have served to grant users a higher level of control over the manner in which their personal data was processed.
As you can see data compliance and GDPR fines are no laughing matter with companies worldwide being hit by massive fines.
If you’d like to explore data compliance for your organization, the ComplyD team would be glad to help. Leverage our SAP-native data discovery and compliance enablement tool that provides comprehensive visibility via a user-friendly, unified dashboard with analytics. You’ll be able to take pro-actively take steps to meet any compliance regulations for ANY industry or geography. Our scientific, robust DASH approach discovers vulnerabilities and secures and hardens your perimeter to meet compliance regulations and avoid regulations. If you’d like a taste of compliance simplified for your entire enterprise please request a demo.
