The GDPR is often referred to as the biggest and most significant data privacy regulation in 20 years, a substantial step up from the EU's previous data protection directive. It entered into force on 25 May 2018 with the aim of replacing the 1995 Data Protection Directive (Directive 95/46/EC).
While Directive 95/46 was in force, EU members adopted local regulations and therefore personal data protection laws were not harmonized. The adoption of the GDPR created a single legal instrument with direct application in all EU member states and beyond. In addition, the GDPR takes into account new technologies not covered by the Directive, such as Big Data, mobile applications, social networks, etc.
GDPR fines can go up to 20 million euros or 4 percent of annual global turnover, whichever of both is highest. This fact speaks enough about the need for timely harmonization of business operations with GDPR.
However, the research conducted by the global law firm DLA Piper indicates that in the past year, there has been an increase in personal data violations, that is, violations of GDPR regulations.
Their survey in 2020 showed that data protection authorities recorded 121,165 reports of data breaches, which is 19% more than in the previous period. Analysts predict that the double-digit growth trend will continue.
When it comes to fines, they have increased by almost 40%. Even some of the world's largest companies have not remained immune to draconian penalties for violating GDPR regulations.
Below are the 5 biggest penalties ever imposed for non-compliance with the GDPR.
In 2019, the French National Commission for Informatics and Freedom (CNIL) fined Google for the lack of transparency in the way data was collected from data subjects and used for marketing purposes. Google has not provided sufficient information to users about the consent guidelines and has not given them sufficient control over how their personal data is processed.
Google has appealed this penalty, however, the French Supreme Court of Administrative Law dismissed the appeal and upheld this dizzying penalty.
This is not the only time Google has been held accountable for violating the GDPR. In March 2020, the Swedish Data Protection Authority (SDPA) fined Google for neglecting to remove certain search results, even though it was ordered to do so in 2017. According to the "right to be forgotten" from the GDPR, Google was obliged to do so upon request. The fine was 7 million euros.
Google responded in Russia as well. A fine of 3 million rubles (34,620 euros) was imposed for violating the law on personal data. Google confirmed this penalty without comment. Russia has previously punished Google for not deleting banned content.
The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) has fined the Swedish retail conglomerate Hennes & Mauritz - H&M issued a € 35,258,708 fine for violating the General Data Protection Regulation (GDPR).
The company collected sensitive personal data of its employees by an inadequate method - eavesdropping on internal conversations of employees, gossip and other inadequate sources. H&M's senior staff has gained extensive knowledge of the private lives of its employees ranging from fairly innocuous details to family issues and religious beliefs. Personal data also included medical records, diagnoses and symptoms of illness, as well as private details about vacations and family affairs. Such a detailed profile was used to assess the performance of employees and influenced decisions about their employment.
Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.
TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.
Activities for which TIM was fined include improper management of consent lists, excessive data retention, data breaches, lack of proper consent, violation of GDPR rights.
The ICO fined British Airways in October for compromising data that occurred in 2018. The original intention was for the amount of the fine to be 204 million euros, for violating Article 31 of the GDPR. However, due to the recent pandemic and the effect it had on the aviation industry, the fine was reduced to 22 million.
The company's systems were compromised. In those few months, the British Airways website redirected user traffic to the hacker’s website, resulting in the theft of extensive personal information from more than 400,000 customers.
According to the official statement of the ICO, the investigation determined that the airline processes a significant amount of personal data without adequate security measures, which violated the law on data protection. Following this, British Airways was the subject of a cyber attack during 2018, which did not last longer than two months.
Information that has been compromised includes registration, payment card and travel reservation information, as well as information on names and addresses.
According to the ICO, this attack could have been prevented if the company had adequate security mechanisms. However, British Airways not only did not have adequate measures to protect its systems, networks and data, but, at the time of the attack, they did not have the basics such as multifactor authentication.
The Marriot hotel chain had a situation where the personal data of the guests were exposed, more precisely, 339 million guest records, of which 31 million are the population of the European Economic Area.
The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.
The ICO found that Marriot did not perform an appropriate in-depth analysis after the acquisition of Starwood. They needed to adopt a more adequate strategy to protect their information systems.
We also have to mention Amazon. By far the largest penalty ever for non-compliance with the GDPR was handed down to this company last month. Its amount is an incredible €746 million.
This record-breaking fine imposed by the National Data Protection Commission based in Luxembourg is almost twice as high as all other GDPR penalties combined.
Frustratingly, few details have emerged about what Amazon’s GDPR fine relates to. The French advocacy group, representing 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent”.
Amazon stated that there was no data violation and announced that it would file an appeal against this penalty. It remains to be seen whether this astronomical sum of money will be paid.
GDPR compliance may seem overwhelming right now, but in the long term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
The most simple and obvious answer to the question how to avoid GDPR fines and make sure your reputation is intact, is obviously making sure that you are as GDPR compliant as possible.
Sky Express can help you comply with the GDPR, as well as improve your overall information system. For more information contact us at prodaja@sky-express.rs.
Sky Express is an exclusive distributor of advanced cybersecurity solutions and services in the field of information security, covering SEE market.
Sky Express offers a very selective range of complemental, compatibile.
CONTACT US
KONTAKT