GDPR Audit: Who Complied and Who Was Fined

5/23/19 8:30 AM  |  by RedLegg Blog

View RedLegg's GDPR Service

A year after the European Union’s General Data Protection Regulations (GDPR) went into effect, we’re starting to see some clear trends. (You can read up on the impact of GDPR, so far, here.)

Those That Prepared…

Organizations that took GDPR compliance seriously have so far escaped any violations. These companies acted to review privacy rules and data handling to make the necessary changes.

GDPR targets organizations that don’t safeguard data privacy and security. In addition to compliance with regulations, companies must also be able to demonstrate their compliance, the actions they have taken. One such action is to designate a Data Protection Officer (DPO) that is responsible for compliance in the company. GDPR has created the need for more than 100,000 DPOs worldwide, according to the International Association of Privacy Professionals.

Those That Didn’t…

Those that failed to prepare, or ignored the regulations altogether, are facing fines, court cases, legal fees, and investigations.

Failure to comply can have significant consequences. The regulations allow for two tiers of administrative fines:

  • Up to 10 million Euros ($11.16 million) or 2 percent of a company’s annual global turnover (revenue) – whichever is greater.
  • Up to 20 million Euros ($22.3 million) or 4 percent of a company’s annual global turnover (revenue) – whichever is greater.

In addition to fines, companies can also be forced to take remedial actions to fix problems and notify those impacted. These actions can sometimes cost more than the actual fine itself. For example, digital marketing agency Bisnode was hit with a €220,000 ($245,000) fine for scraping data for ad targeting. In addition, Polish regulators required the company to mail 6 million notifications to those potentially affected which is estimated to cost the company more than €8 million ($8.9 million).

GDPR Fines 2018 and 2019

So far, there have been more than 90 GDPR fines and penalties fines levies against organizations. The largest GDPR fine amount to date is a 50 million Euro ($57 million) fine against Google for failure to disclose how data is collected and used to target advertisements.

Regulators have levied both large and small GDPR fines against organizations, including:

  • €400,000 ($449,000) was levied against Centro Hospitalar Barreiro Montijo in Portugal. Regulators found that more than 900 doctors had accessed to all patient records whether they were treating the patient or not. This violated GDPR’s data minimization principle that data only be accessible for those with a business need.
  • A German social media company was fined €20,000 ($22,500) after a breach of 800,000 user email addresses and passwords. The company self-reported the incident and noted that the passwords were not encrypted.
  • An Austrian sports betting cafe was fines €5,280 ($5,891) for operating a closed-circuit camera that partially viewed public sidewalks. The company was cited for gathering personal data without getting explicit permission.

Facebook is also looking at a $2.2 billion (€1.97 Euro) for allegedly storing millions of user passwords in unencrypted text, allowing some 20,000 employees to access passwords. That would be the maximum fine under GDPR rules. That could be a big blow for the social media company who announced during its recent earnings call that they were already setting aside another $3 billion for expected fines from the U.S. Federal Trade Commission.

In addition to the 91 GDPR fines so far, there are more fines and warnings on the way. Since the regulations went into effect, there have been nearly 100,000 complaints and 60,000 reported data breaches. As the backlog of claims is cleared, you can expect more fines for non-compliance to be levied. There are also multiple cases in front of the European Court of Justice related to GDPR.

In addition, new data handling and privacy laws are expected to be enacted. There’s been updated privacy and data security legislation in countries like Canada, Brazil, India, and China. In the United States, California passed the Consumer Privacy Act (CCPA). Several other states are looking at more stringent laws surrounding personal data. These new laws may dictate additional compliance measures.

RedLegg Can Help

The majority of companies still aren’t fully compliant with GDPR. As many as half of European companies say they haven’t completed compliance while only 27 percent of U.S. companies are up to speed for GDPR. Many more are unsure whether they comply.

Yet, the next wave of audits and compliance enforcement is coming. Are you prepared?

It’s not too late to make sure you are GDPR compliant. When evaluating incidents, regulators have taken a hard look at steps organizations took to comply. In cases where there were violations, fines were significantly lower if companies could demonstrate they had taken action in an attempt to comply.

If you aren’t 100 percent compliant, or you aren’t sure if your organization is compliant, you simply cannot afford to wait any longer.

View RedLegg's GDPR Service

Want more? Read...

Get Blog Updates

Related Articles

The CMMC Framework Levels vCISO, advisory, compliance, cmmc

The CMMC Framework Levels

As those in the Defense Industrial Base (DIB) look into the CMMC requirements, what exactly are the different levels of ...
News Roundup From A CISO advisory, industry news

News Roundup From A CISO

Whether your organization has a CISO or someone looking after CISO-level responsibilities, we've provided a few news ...