Data Governance

Mapped: Every GDPR Fine and Enforcement Action to Date

A new study by PC recycling company, Computer Disposals Limited, measures the distribution of GDPR fines around European countries, against the financial penalties leveraged as a result, to reveal some marked discrepancies.

After just over a year of GDPR enforcement across Europe, we can start to draw some conclusions about which countries have fallen foul of the regulations and been hit with some serious fines as a result. That said, it’s the early days of enforcement, and so, the amount of infractions is perhaps to be expected as businesses adapt to GDPR’s new regulations.

Whether it’s negligence or carelessness with regards to these fines, it’s tough to tell at this stage. But where the qualitative data is perhaps lacking, the quantitative data that’s been accrued is still telling.

From the results so far, we can see which countries have incurred the most fines, been hit with the highest fine amounts and what the most common reasons for GDPR fines are. Below we’ll go into the results of every GDPR and enforcement action to date.

Which country has the most fines to date, volume-wise?

In terms of the number of fines, the clear “winner” was Spain, with a whopping 38 instances. Even Germany and Romania, who both racked up the second highest amount, was a comparatively smaller 17 instances. At the other end of the scale, the countries of Italy, Malta and Lithuania had one infraction each to their name, as of January 2020.

Which country has the highest fine amounts to date?

However, as the results show, the most fines don’t necessarily equate to the dearest fines. Despite garnering the highest number, Spain’s 38 infractions cost just over one million euros. Compare this to the UK, which was hit with only 3 fines – one of the lowest amounts – but these high-profile instances (which came at the expense of Marriott International and British Airways) came in at an enormous cost of 315,310,200 euros. Compare this to second place France’s 51 million euros and the UK’s costs are clearly in front by some margin.

The most common reasons for GDPR fines

Insufficient legal basis for data processing

In order to process personal data, there must be a valid lawful basis. Companies who have incurred this type of fine lack one of the six lawful bases needed for processing, which are as follows:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party.

Insufficient fulfilment of information obligations: GDPR ensures that individuals have a right to be informed about the collection and use of their personal data. If these information obligations are not fulfilled by a company or organisation then they’re in violation of the terms laid out by GDPR.

Insufficient fulfilment of data subject rights: Individuals have a right to know what data an organisation is collecting and what they are doing with it. They also have a right to obtain a copy of the collected data, as well as have this data corrected, and have the right to have said data erased. A company that fails to provide individuals with these rights is in breach of its information obligations

Non-compliance with general data-processing principles: GDPR sets out seven principles for the lawful processing of personal data, which are broadly:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Insufficient cooperation with supervisory authority:

Companies that fail to comply with any order from the monitoring bodies of the GDPR run the risk of facing a vast fine, regardless of what the original infringement was.

Insufficient technical and organisational measures to ensure information security:

Technical and organisational measures, also known as the security principle, involve the way information is stored and transmitted, as well as how data is accessed, altered and deleted. It also ensures that it is easily recoverable in the event of deletion or alteration. Organisations without these measures in place are in violation of GDPR and thus face a fine as a result.

Analysis: GDPR’s unavoidable price of non-compliance, by Ben Griffin, Director at Computer Disposals Ltd

Recent research published by Computer Disposals Limited provides us with a picture of non-compliance after just over a year of GDPR enforcement. Across Europe, companies of varying size were hit with fines of similarly varying amounts as a result of negligence or carelessness.

The research demonstrates that GDPR’s fines for any infractions area very real risk no matter who, or how big, you are as a company. Case in point, two of the UK’s most well-known businesses, British Airways and Marriott, failed to adequately protect their customer’s data. This led to two respective cyberattacks where sensitive data was accessed and harvested, a breach in GDPR policy that resulted in massive fines, as well as a PR disaster, for both companies.

What can be avoided though, is being fined in the first place. If you’ve been entrusted with data from customers or other businesses, then it’s imperative that you have the appropriate cybersecurity measures in place to avoid the errors that befell Marriott and British Airways. These large fines underpin the importance of maintaining the highest standard of cybersecurity; data breaches and cyber-attacks can happen to anyone and no one is exempt from adhering to the policies of GDPR. 

As a business, strengthening your cybersecurity offering should be one of its top priorities.

With 2020 well underway, and increasing fines likely to be levied to businesses of all kinds, guarding yourself against both fines and cyber-attacks should be on the agenda going forward.

*Data correct as of January 2020 (Source)

For more of the latest news, guides and features from the CDL team, click here to visit the blog.

If you’d like to find out more about CDL’s IT disposal solutions, visit the homepage or call the team now on 0333 060 5623.