GDPR Fines & Data Breach Penalties
Easy to read guide to GDPR fines and penalties. We look at the most serious fines issued and how they were calculated, as well as examples of personal fines.
When the European Union implemented the General Data Protection Regulation (GDPR) with fines of up to 4% of annual revenue, it introduced some of the harshest penalties for a breach of data protection laws anywhere in the world. In doing this, the Data Protection Authorities created tremendous leverage to gain compliance with the regulations, ensure consent is received from data subjects and to reduce the likelihood of personal data violation.
However, despite these threats, there have still been some record-breaking GDPR fines issued to high-profile organizations, an indication that some are always prepared to take risks with regards to the data processing of client information.
What do Google, British Airways, H&M and Marriott all have in common? Well, they all received fines in excess of €10,000,000 for GDPR violations relating to personal data.
This might lead you to think that this something which is associated with the big corporates. But that’s not the case because both small companies and individuals have also been at the receiving end of fines and penalties.
Now the €48 fine issued to the Estonian Police Officer who checked out his future spouse and the €200 fine given to the German YouTuber may seem small enough not to worry about. However, consider the time spent dealing with the situation, the certainty of it being reported in the local press, and the impact it may have on customer trust and loyalty. That’s not to mention the opportunity it provides competitors to use the news as a way of promoting their own ‘ethical stance.’
The fine itself may be small, the impact to online reputation management might well be more significant.
Let’s take a closer look at some of those fines issued under the terms of the General Data Protection Regulation.
When the fine is just under €100 million, it’s clear that the problems are serious. And this was the case for Marriott International when they were fined for GDPR infringements.
Their data breach was thought to have affected over 339 million guests’ personal data, of which around 10% related to European residents. The breach included highly sensitive information, such as payment details and passport information.
The incident was reported to the ICO in November 2018 despite Marriott being aware of a potential GDPR violation two months previously when a security tool alerted following the processing of an unusual database query.
During the investigation, it was established that the vulnerability of personal data came from the systems that Marriott had inherited when they purchased the Starwood Hotels Group in 2014. The ICO found that Marriott had failed in their due diligence of the Starwood IT systems when it bought the company.
The 2020 $23.8 million fine that the ICO finally placed on Marriot was, however, much lower than the €100 million first quoted. It’s thought that the coronavirus situation played a part in the decision to issue a reduced fine.
In 2018, British Airways were fined £20 million ($26million) by the Information Commissioner’s Office for a data breach that affected over 400,000 customers. The GDPR breach involved BA’s systems being hacked, followed by the harvesting of customer data, including name, address, and payment card information, along with booking details.
As with the Marriott case, the fine awarded was less than the £183 million the ICO originally stated.
October 2020 saw H&M being fined €35.3m for the illegal surveillance of its employees. The German data protection watchdog found that H&M kept excessive records relating to their employees’ families, religions, and illnesses.
H&M carried out extensive staff surveys and ‘informal chats’ to gather this information which was then used to make employment decisions. Alongside the fine, H&M stated that that financial compensation would be made to all staff who worked at the affected office in Nuremberg.
The nominated authority in each of the EU countries can decide whether there has been an infringement of the GDPR regulations within their region and what the fines and penalties will be. In the UK, for example, that’s the Information Commissioner’s Office or ICO. The aim of the financial penalty is for it to be effective, proportionate, and dissuasive.
For the less severe infringements, GDPR fines of up to €10 million can be issued, or a penalty of 2% of the company’s worldwide annual revenue if that’s a higher figure. Generally, this lower level of fine is applied when the infringement is one listed in Article 83(4) of the GDPR, and these include issues associated with:
• Integrating data protection ‘by design and by default.’
• Recording processing activities.
• Co-operating with the supervising authority.
• The security in place for the processing of data.
• Communicating with supervisory authorities and data subjects where there is a personal data breach.
• The undertaking of an Impact Assessment.
• Prior consultation with the appropriate authorities before processing commences.
• The appointment and tasks allocated to the Data Protection Officer.
• Certification completed to ensure GDPR compliance.
When infringements relate to principles associated with consent, the right to data privacy and the right to be forgotten, then it is considered to have disregarded the fundamental principles and ethos of the GDPR. In this situation, offenders are subject to the higher tier of GDPR fines and penalties, which could be up €20 million, or 4% of the previous financial year’s worldwide annual revenue, and that again, is whichever is the higher of the two.
When the ICO or their equivalent, identify an issue, then they require steps to be taken to remedy the situation. If those steps are not taken, then a penalty can be issued. It should be noted that these penalties are not just given when an incident has taken place; these are fines that are issued when identified action is not taken, which may then lead to an incident.
|Penalty||Type of Contravention|
|Up to £1 million||
Failure to comply with an information notice or being un-cooperative during an inspection.
|Up to £3.4 million||
Any contravention which could cause an incident resulting in a reduction in service.
|Up to £8.5 million||
Any contravention which could cause an incident resulting in the disruption of serviceny contravention which could cause an incident resulting in a reduction in service.
|Up to £17 million||
Any contravention which could cause an incident resulting in a threat to life or a significant adverse effect on the economy.
It’s also essential for employees to be aware that they are not shielded by the company should they use a data subject’s information for anything other than which consent has been obtained for. In that situation, with such disregard for data privacy, it’s highly likely that they will be fined for which they are personally liable.
However, these significant fines are not where the financial liability ends, and that’s because they are just the administrative GDPR fine. The General Data Protection Regulation also gives data subjects the right to seek compensation when an organization’s GDPR failure has caused material or non-material damage.
What’s The Decision Making Process for GDPR Fines?
To assist the ICO, or their equivalent in other European countries, to come to a decision, they will consider the following aspects of the case.
This first criterion asks the regulator to consider the overall picture of the infringement. That means reviewing what happened, how it took place, and why it happened in the first place. They will then consider the impact, which includes how many people’s personal data was affected and what the implications were. Finally, they will consider the timescale to reach a resolution.
Now it is important to consider whether the issue is a matter of negligence or whether it was a deliberate intent to disregard the requirements of the GDPR.
An assessment is then made of whether the firm took any action to reduce the damage suffered by those whose data was affected once the issue was identified.
This is an assessment of the company’s preparation, both technical and organizational, to ensure that they would be GDPR compliant.
This requires consideration of any historical non-compliance regarding the Data Protection Directive and whether there was GDPR compliance with previous corrective actions.
Assessment of whether the company co-operated with the authorities when the infringement was identified.
Consideration of the type of personal data that was affected by the infringement.
Did the firm or their designated third party report the GDPR infringement to the appropriate authorities?
Assessment of whether the approved codes of conduct were followed or if the company had successfully undertaken certification.
Consideration of other issues that came about due to the case, which may include whether there was any financial loss or gains as a result of the infringement.
When a data protection authority becomes alerted to GDPR non-compliance within an organization, there are several actions it can take.
An ‘information notice’ (IN) is issued when further information is required to assess network and information systems’ security. They will also review how data processing policies and security measures are implemented, and how inspections are carried out.
The IN will state what information is needed and why, and how it should be submitted. A deadline for completion will also be given. If the organization does not comply with the processing and policies stated with the IN, then an enforcement notice will be issued.
There are several situations in which an enforcement notice is issued, and these include:
If an enforcement notice isn’t complied with, then there is the risk of a penalty being imposed.
When an enforcement notice has been ignored, or the data authority is not satisfied with the explanation given for not following its requirements, a penalty notice may be issued.
The penalty notice specifies the reasons for the penalty, how much must be paid along with the deadline for payment, and also information on how to appeal the notice.
It can be challenging to understand exactly what a violation of GDPR is, and that’s because the language of the legislation is deliberately vague. The intent behind this was to have some flexibility in the system and to differentiate between deliberate attempts to ignore the regulations and errors being made when attempting to follow its requirements and become GDPR compliant.
Some of the most significant GDPR fines issued to date provide an insight into the often-historical mismanagement of how personal data is processed. This includes the concept of consent, respect for its privacy and the disregard for data security. And with organizations the size of Google receiving fines for violation of GDPR it’s no wonder that it can be challenging for smaller businesses to find their way around the regulations.