This May 25th marks three years since the General Data Protection Regulation (GDPR) came into effect. The GDPR is the EU law regarding data protection and privacy of EU citizens and data transfer outside the EEA. It represents an important milestone in how personal data is collected and protected, not only at the European level. The regulation has become a model for countries outside the EU such as Brazil, Japan, South Korea. Also, the Californian Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) have similarities with the GDPR. Following the UK’s withdrawal from the EU, the GDPR was converted into local law and it will be referred to as GDPR UK.
Fines for non-compliance
One of the most important changes introduced by GDPR is related to the fines for non compliance: the maximum fine a Data Protection Authority can give is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
During these 3 years, 636 fines were applied, amounting to more than €283 million (note: some fines values were not disclosed and are not part of these statistics).
Regarding the total number of fines, the Spanish Data Protection Authority has the highest count with 223, followed by Italy with 76 and Romania with 58.
One thing to note is that not all fines remained as they were initially set. For example British Airways was fined £183m following a data breach, but the amount was reduced to £20m after the appeal and the consideration of the economic impact of the COVID-19 pandemic on the aviation industry. Similar reasoning was also behind the decision to reduce the fine for the Marriott group data breach, where the fine was reduced from £100m to £18.4m.
Additionally, if we were to look at all the investigations and the largest applied fines, we would notice that data breaches are just a part of the violations. There are other reasons like poor security practices or internal procedures that were behind various Data Protection Authorities investigations.
The takeaway?
Data privacy and security should be in focus in our everyday lives and activities, as GDPR has helped us become more aware and responsible to assess, adapt and implement extended security measures and data processing activities and processes.
How are you celebrating today and how has the GDPR changed your daily activities?
Let’s talk about your project
If you have questions or concerns about GDPR compliance or data security in general, feel free to get in touch with our data protection specialists.