Since the GDPR (General Data Protection Regulation) was introduced in 2018, countless organizations have made headlines for violations. British Airways, Marriot International Hotels, Austrian Post…but what about this year?
Keep reading to find out how many fines have been handed out in 2020, which organizations have been slapped with the biggest fines, why, and how the violation could have been prevented.
Key findings include:
As of July 2020, around 330 fines have been handed out for GDPR violations. Based on trends from the last 24 months, we can expect this number to continue rising.
Between July 2018 and June 2019, an average of 5 fines were handed out each month. But, between July 2019 and June 2020, an average of 18 fines were handed each month. That’s a 260% increase. And, with 36 fines issued for non-compliance in March 2020 alone, it’s clear that the EU authorities take information security and compliance very seriously. But, do organizations? Maybe not…
Research suggests that only 20% of US, UK, and EU companies are fully GDPR compliant and – worse still – a whopping 30% of companies have yet to even start their GDPR compliance initiatives. Ensuring compliance is key, though, especially when organizations can be fined up to €20 million (just short of $23 million) or 4% of annual global turnover (whichever is larger) for a violation.
While we’re just over halfway through the year, we have already seen fines that shatter records set in previous years. Here are the biggest GDPR fines of 2020 so far:
Although Google’s fine is technically from last year, the company lodged an appeal against it. Last month, however, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty.
Google was hit with this GDPR fine – the largest one to date – for multiple infractions under Articles 5, 6, 13, and 14. While each violation is slightly different, the long and short of it is that Google wasn’t transparent in divulging how they harvested and used data for ad targeting.
How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed.
Just two weeks into the new year on January 15, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.
TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.
How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.
It has not been a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017.
How the violation(s) could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”
You can find more information about how to comply with requests for erasure from the ICO here.
In April, the Dutch Data Protection Authority handed out its largest fine to date to a so-far unknown company for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. The violation took place over the course of 10 months. Note: Under the GDPR, biometric data like fingerprints are classified as sensitive personal data and it is subject to more stringent protections.
How the violation(s) could have been avoided: The company should have had a valid, lawful reason to collect employees’ fingerprints. They should have also had technical measures in place to process the data and a clear process for deleting the data.
While the biggest fines so far in 2020 involve failure to remove personal data when requested by EU citizens and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.
In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.
Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).