GDPR offenders and their fines

The EU regulator has already imposed numerous fines related to the GDPR. Below are a few examples shared by SailPoint and Precise Security:

Case 1

In July 2019, British Airways was hit with a record fine of more than 200 million euros. The UK's data protection authority, the ICO, penalized the airline after criminals were able to read the credit card information of up to half a million of the airline's customers.

Case 2

The ICO also imposed a fine of over 110 million euros on the U.S. company Marriott International. The reason was a security breach in November 2018: This exposed around 339 million guest data; of these, 30 million guest data concerned residents of 31 European countries and a further seven million British citizens.

Case 3

Google is not above the law either. With a 50-million fine, Google finds itself in third place among the worst data offenders of 2019. The charges were imposed on the U.S. company by the French data protection authority CNIL because Google failed to provide its users with enough information about consent to data policies. In addition, the tech giant did not allow its customers sufficient control over the use of personal information.

Case 4

Finally, there was recently the highest GDPR fine ever imposed in Germany: The Berlin data protection authority fined real estate group Deutsche Wohnen SE a record 14.5 million euros. The reason was that the company stored personal information of its tenants without checking whether this was necessary or lawful. Sensitive data on personal and financial situations was allegedly retained for years. At present, the fine decision is not yet legally binding, and the organization can still appeal.

Case 5

Fintech providers must meet the strictest compliance requirements, as they store, transfer and process sensitive personal data and financial data as part of their services. The penalties for violations of these requirements are correspondingly severe: As recently as May 2019, the Berlin data protection authority imposed a fine of 50,000 euros on an app bank (cf. here).

The examples can be extended at will. (Editor's note: The presumption of innocence also applies in the case of GDPR penalties until a final court decision has been made).

Compliance moves into focus

The fact is that companies have to deal with the issue of compliance on an ongoing basis, because complying with such a complex regulation is not a one-off matter, as Volker Sommer of SailPoint further writes, adding: "This includes both organizational and technical measures. The first and most important step businesses must take is to conduct a comprehensive security review and risk assessment and map their data to data owners across their environment. Successful GDPR compliance requires that each business knows who its users are, where government-controlled and sensitive data resides, and how it exists. Once data and ownership are captured, organizations must strengthen controls that determine who does and does not have access to certain information. Data access must be controlled by "least privilege" so that access to only minimal resources is allowed and that to sensitive data is severely restricted. These privileges must be reviewed on a regular basis.

Sources: SailPoint, Precise Security, Kafka Communication Ltd.