In January 2021, DLA Piper, one of the world’s leading law firms, provided evidence that GDPR-related fines have risen by 40% within the last year. Comparing the 20months period after the establishment of GDPR with the recent years has proved what many companies have feared. The unstable environment surrounding privacy laws has caused companies to fail in compliance and suffer eye-watering fines.
Regulators have received 331 violation notifications daily, from 28/1/2020 to 27/1/2021, that have accumulated into EUR158.5m (USD193.4m/ GBP142.7m) of fines. Compared to last year, the number of daily violations has grown by 19%, and researchers expect continuous growth with a double-digit increase. No EU state is left out when it comes to the occasional imposing of fines. One could think at least the UK businesses are given allowances, considering its recent departure from the EU, but quite the opposite is happening.
The authority in the UK, specifically the Information Commissioner’s Office, known as simply ICO, has done its fair amount of finning. The most famous cases include the intention to fine British Airways for £183.39m under GDPR for data breach and the fining of Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure. And while these seem like extreme examples, they are not very uncommon. The authorities do not fear imposing fines that reach up to 4% of the companies’ global turnover from the previous year.
Three substantial fines within the EU worth noticing include the French authority CNIL finning Google EUR50m for violating transparency and not having a legal basis for processing data, in other words, violation of Articles 6, 12, and 13 of the GDPR. The second most notable fine was imposed by the Hamburg authorities against H&M, the global retailer, for failing to have a sufficient legal basis for processing data - violating Articles 5 and 6 of GDPR. Last but not least, Italy’s authority - the Garante issued a fine against Telecome for multiple violations of privacy regulations, breaching Articles 5, 6, 17, 21, and 32 of the GDPR.
Many companies believed that the dust around privacy regulations would settle, and it will be reasonably easy to be legally compliant with all the laws and regulations. But it seems as if the legal landscape of privacy protection changes each time we believe it has reached the final stage. The amount of privacy data breaches has not decreased from 2019 to 2020. The dust appears never to settle, and so companies must be alert and ready for all kinds of changes.
The increase in fines and growth of uncertainty demonstrates that even though EU privacy laws stem from GDPR, the way organizations and authorities approach these laws varies to some extent. The result is uncertainty, an uncertainty that is especially challenging for companies operating in multiple countries. Additionally, due to the novelty of privacy concerns, businesses come head to head with insurance companies. While one party believes GDPR fines are covered under insurance policies, the other party disagrees. Problems seem to pile and pile for those businesses that did not take precautions.
Considering that the lawfulness, fairness, and transparency principle defined in Article 5 of GDPR is the most prioritized, it is not surprising that it takes the place of the most violated principle. The transparency principle is one of the earliest to be enforced. Hence the expectations for meeting its standards have been gradually increasing. You might think that having all information available on your website sounds like an easy job. Still, the number of fines for too complex, inaccurate, and incomplete privacy notices says otherwise. A very thin line exists between writing an overly complicated privacy notice and not providing enough information in the notice. However, walking the line is crucial.
An entity can process data only if it has a lawful basis for the action. For example, the police can collect your data because it serves the public interest. However, most commercial businesses must rely on the lawful basis of consent, as described in Article 6 (1a). Fines have been posed for not having a lawful basis, not providing proof of your legal basis, and relying on invalid consents. Naturally, penalties for not having any lawful basis are understandable. But companies who fail to show evidence of having a lawful basis face the exact charges as a company that does not have a lawful basis. In other words, keeping documentation and records about collected consents and data can be the difference between having to pay thousands of euros, krone, or dollars to the local authorities. Disclosing the lawful basis for all processing activities in the privacy notices is an essential first step in the right direction. Having an audit trail that records and stores consent, provides evidence of lawful processing is the next best step.
The implementation and maintenance of security measures is yet another responsibility of businesses under GDPR. Authorities expect firms to have a level of security that corresponds to the degree of risks of collecting, processing, and storing data. The principle of security measures appears primarily in Article 32 of GDPR. What is concerning about this principle and could be the primary cause of its violations is its lack of detail. Over the past three years and multitude of fines, companies have made a provisional list of security measures a company should follow to be compliant. This list includes, but is not bound to:
The list goes on, and now and then, measures are added. Which security measures are necessary for a company depends on its type and the country of its operations.
Article 5(1)(c) and (e) in detail describe the data minimization and the storage limitation principle, respectively. Processing an excessive amount of data or over-retention of data is perceived and sanctioned as a violation of GDPR. The data minimization and retention principles are present because their breach can lead to illegal processing and data leaks. It is important to note that firms can easily violate these principles accidentally due to unreliable processes, lack of an audit trail, and an inefficient consent management system. For example, if deleting data at the right time is done manually, it is close to impossible. Despite these revelations, the authorities did not make an exception when enforcing the data minimization and retention principle. German Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of EUR14.5m on the Deutsche Wohnen SE in October 2019 for other violations and the data minimization and retention principle. In later days shoe retailer SPARTOO SAS was fined EUR250,000 by the French CNIL.
A GDPR breach is undeniably a severe issue for any company. The financial burden can reach 4% of the company's turnover. On the other hand, while economic consequences can be seen and accounted for within a short time. The customer perception of companies with data breaches and fines imposed based on GDPR violations can have long-lasting financial consequences, which cannot be seen right away.
Customer perception and its impact on companies have not yet been thoroughly researched, but it is needless to say that there are consequences. You can see from the KPMG research that 55% of consumers surveyed globally said they had decided not to make purchases online due to privacy concerns. Second-guessing services is only the beginning of consumers putting companies under scrutiny.
The positive news is that there are ways to navigate your business in these uncertain legal waters. Garner Inc. estimates that throughout 2022 companies will spend approximately $8 billion on compliance solutions. Likely, companies will spend most of the $8 billion won’t be spent on high-end lawyers. LegalTech is on the rise, slowly replacing parts of the legal landscape that have previously belonged to law firms. Many people believe it will be no different for GDPR compliance. An online compliance solution that is easy to integrate and even easier to use is a step in the right direction for any company.
Please find out more about our online compliance solutions on our website.