It has been a little over two years since the General Data Protection Regulation (GDPR) took effect in May, 2018. According to GDPR Enforcement Tracker, there have been 348 fines for a total of € 490,878,530 ($ 578 million) issued across 28 countries, including the post-Brexit UK, Norway, Iceland, and all EU members except Luxembourg and Slovenia. The pandemic put a halt on many things, but it did not slow down GDPR enforcement in 2020. 193 fines amounted to more than € 61 million ($ 71.9 million) have been levied between 1 January and 1 September 2020, which means there are 132% more violations in last eight months than in the entire 2019. With GDPR in full force, let us take a look at the ramifications in order to better prepare ourselves for the post-covid future.
GDPR Fines by Countries
Spain has given out the most fines with 127 cases, 80 in 2020 alone, totaling € 3.6 million ($ 4.25 million). The UK, on the other hand, only issued three fines. However, two of these three cases, though yet to be finalized, are the top 2 highest individual penalties imposed to date: a British airline company at € 204.6 million ($ 241 million) and a multinational hospitality company at € 110.4 million ($ 130 million), which equate to nearly 100 times of the size of Spain's fines combined.
Italy topped the chart of the total of final and binding fines, whose 27 fines racking up € 57.2 million ($ 67.4 million), closely followed by France with six penalties amounted to € 51.3 million ($ 60.4 million), out of which the US-based search engine giant alone has been fined € 50 million ($ 58.9 million), making it the most significant individual fine enforced by an EU supervisory authority.
GDPR Fines by Types of Violations
The GDPR Enforcement tracker also shows that most penalties (150) were administered due to 'Insufficient legal basis for data processing' (under Article 5 and Article 6) at almost € 129 million ($ 151.7 million), followed by 80 fines for violating GDPR Article 32 'Insufficient technical and organizational measures to ensure information security' after a breach, which also accounts for the highest total amount of fines - € 335 million ($ 394.9 million). Other top reasons for violations are:
- Non-compliance with general data processing principles - 60 fines, € 17.5 million ($ 20.7 million)
- Insufficient fulfillment of data subjects rights - 39 fines, € 9.5 million ($ 11.2 million)
- Insufficient fulfillment of information obligations - 20 fines, € 0.57 million ($ 0.67 million)
2020 and Onward
It was challenging to comply with GDPR before COVID-19, and it is getting harder with the current widespread shift to remote work and the adoption of collaboration technologies, both of which add an extra layer of complexity and raise the risk profile of personal data. Managing and keeping the data of an ever-spread-out workforce safe and compliant is crucial to addressing this challenge. It is more important now than ever for companies to have a holistic data governance strategy with up-to-date guidelines and appropriate tools in place to mitigate risks of data breaches, data loss and non-compliance, steering clear of GDPR fines and keeping your company in compliance.
Is your company prepared to face the challenge?