A $267 million fine was recently imposed on a leading social networking platform by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR). This is the most significant fine levied by the Irish watchdog and the second-highest in the European Union (EU). The largest new GDPR fine was the €746 million penalty recently imposed for a similar reason on an eCommerce giant in July.
With the surge in fines—amounting to hundreds of millions in penalty costs—it has become difficult for companies to overlook the GDPR. In fact, according to the annual report published by the DPC, the independent supervisory body for enforcing GDPR compliance in Ireland, they received more than 23,000 web, just under 10,000 phone, and 2,000 postal complaints in 2020. They also handled a total of 10,151 cases in 2020, up 9% from their 2019 figures. The top five categories of GDPR related complaints were access requests (1683), fair processing (1623), disclosure (793), direct marketing (429), and right to erasure (423). And these are just the numbers coming out of Ireland’s data protection commission. The overall GDPR complaints across the EU are much higher, with the total amount of new GDPR fines exceeding €1 billion in 2020, proving that the GDPR cannot be ignored any further.
New GDPR fines show the law cannot be ignored
The GDPR states that improper handling of EU citizen data can result in hefty fines of up to €20 million or 4% of annual turnover. With such high stakes, the GDPR undoubtedly impacts how companies collect and process user data. Here are four ways companies can be more GDPR compliant:
Ensure that email addresses, usernames, passwords, installation IDs, shipping addresses, and other user-generated sensitive content are rightfully gathered. Receive explicit consent from users and store and process their data in an agreed-upon manner. Once consent expires, defensibly delete the information or request a renewal from the user.
According to the GDPR, the data controller, who gathers data from its users, is responsible for the information’s safety. Therefore, companies collecting data are responsible for ensuring that any third-party service providers are also GDPR compliant and treat user information with the same data privacy compliance. If they are not, your company will be held liable for it.
GDPR also states that data must be deleted or forgotten if a user requests it. Therefore, the company must be capable of finding and remediating all sensitive data, both in its systems and in third-party service providers’ systems.
Regularly assess and audit the data you hold to avoid potential risks. One way of doing this is by performing mock remediation attempts, documenting the process of finding and performing remediation actions on existing data. This will help ensure that your organization is prepared and capable of remediating sensitive data when the time comes.
While information management has always been an aspect of corporate operations, the GDPR has dramatically increased the scope of governance required. Though this can seem daunting, adhering to the GDPR is essential to safeguard your company from hefty fines and negative public opinion. As a result, several firms have started seeking help from information management solutions, as enterprises cannot ignore the GDPR for long if they want to conduct business in the EU or with EU citizens.
Click to learn more about the biggest GDPR fines so far.