Since the GDPR (General Data Protection Regulation) was introduced in 2018, countless organizations have made headlines for violations. British Airways, Marriot International Hotels, Austrian Post…but what about this year?
Keep reading to find out how many fines have been handed out in 2020, which organizations have been slapped with the biggest fines, why, and how the violation could have been prevented.
Key findings include:
As of December 2020, over 300 fines have been handed out for GDPR violations. Based on trends from the last 24 months, we can expect this number to continue rising.
Between July 2018 and June 2019, an average of 5 fines were handed out each month. But, between July 2019 and June 2020, an average of 18 fines were handed each month. That’s a 260% increase. And, with 45 fines issued for non-compliance in October 2020 alone, it’s clear that the EU authorities take information security and compliance very seriously. But, do organizations? Maybe not…
Research suggests that only 20% of US, UK, and EU companies are fully GDPR compliant and – worse still – a whopping 30% of companies have yet to even start their GDPR compliance initiatives. Ensuring compliance is key, though, especially when organizations can be fined up to €20 million (just short of $23 million) or 4% of annual global turnover (whichever is larger) for a violation.
With two months to go, we have already seen fines that shatter records set in previous years. Here are the biggest GDPR fines of 2020 so far:
Although Google’s fine is technically from last year, the company lodged an appeal against it. Last month, however, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty.
Google was hit with this GDPR fine – the largest one to date – for multiple infractions under Articles 5, 6, 13, and 14. While each violation is slightly different, the long and short of it is that Google wasn’t transparent in divulging how they harvested and used data for ad targeting.
How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed.
On October 5, the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed.
H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.
Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.
How the violation(s) could have been avoided: Details of the decision haven’t been published, but the seriousness of H&M’s violation is clear.
H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.
H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.
Just two weeks into the new year on January 15, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.
TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.
How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.
In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than $238 million dollar fine that the ICO originally said it intended to issue back in 2019. So, what happened back in 2018?
British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log in details, payment card information, and PI like travellers’ names and addresses.
How the violation(s) could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, they didn’t even have basics like multi-factor authentication in place at the time of the breach. Going forward, the airline should take a data-first security approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.
While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened? 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. PI like guests’ names, addresses, passport numbers, and payment card information was exposed.
Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.
How the violation(s) could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategyand utilized de-identification methods.
On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.
The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe.
The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.
How the violation(s) could have been avoided:Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could demonstrate that sending marketing materials was in its “legitimate interests.”
It has not been a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017.
How the violation(s) could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”
You can find more information about how to comply with requests for erasure from the ICO here.
On June 30, the Data Protection Authority of Baden-Wuerttemberg, Germany, imposed a €1.24 million fine on health insurance company Allgemeine Ortskrankenkasse (AOK).
AOK set up contests and lotteries using its customers’ personal information — including their health insurance details. The company also used this data for direct marketing. AOK tried to get consent for this, but it ended up marketing to some users who had not consented.
The regulator found that the company had sent people marketing communications without establishing a lawful basis. AOK also failed to implement proper technical and organizational privacy safeguards to ensure they only sent marketing to those who consented.
How the violation(s) could have been avoided: What’s the main takeaway from the AOK case? Be very careful when sending direct marketing. If you need people’s consent, make sure you keep adequate, up-to-date records of who has consented.
On July 6, the Dutch Data Protection Authority fined the Bureau Krediet Registration (‘BKR’) €830,000 for charging individuals to access their personal information digitally. BKR allowed customers to access their personal information for free on paper, but only once per year.
BKR is appealing the fine.
How the violation(s) could have been avoided: BKR shouldn’t have been charging individuals to access their personal information, and they shouldn’t have been imposing a once-per-year limit. The GDPR is clear — you may only charge for access to personal information, or refuse access, if a person’s request is “manifestly unfounded or excessive.”
On July 13, the Italian Data Protection Authority fined telecoms company Iliad Italia €800,000 for processing its users’ personal information unlawfully in numerous ways.
One issue was Iliad’s collection of consent for its marketing activities, which the regulator found had been “bundled” with an acknowledgment of the company’s terms and conditions. Iliad also failed to store its users’ communications data securely.
How the violation(s) could have been avoided: Consent under the GDPR is defined very narrowly. If you’re going to ask for a person’s consent, you must make it specific to a particular activity. Don’t “bundle” your consent requests — for example, by asking people to agree to marketing and sign a contract using one tickbox.
Data security is one of the cornerstones of the GDPR. Iliad appears to have failed to implement proper access controls on its users’ personal information. You must ensure that personal information is only accessible on a “need to know” basis.
In April, the Dutch Data Protection Authority handed out its largest fine to date to a so-far unknown company for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. The violation took place over the course of 10 months. Note: Under the GDPR, biometric data like fingerprints are classified as sensitive personal data and it is subject to more stringent protections.
How the violation(s) could have been avoided: The company should have had a valid, lawful reason to collect employees’ fingerprints. They should have also had technical measures in place to process the data and a clear process for deleting the data.
While the biggest fines so far in 2020 involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.
In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.
Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).