The General Data Protection Regulation (GDPR) was enacted in 2018, and over the last two years many companies, both big and small, have been fined for violations. In 2020 alone, more than 300 fines have been doled out. Some of the more notable companies to come under the gaze of the GDPR include Wind, AOK (a health insurer), and Austrian Post.
GDPR fines can be pretty steep. Businesses can be fined 20 million euros or 4% of their annual global revenue (whichever is higher). These fines can put more than a dent in any company’s budget. Lawmanaging has listed the top five fines that were handed down in 2020.
This global clothing retailer received the second-largest fine to date. H&M had to cough up over 35 million euros in October. Part of their leave policy requires employees to attend a meeting before returning to work. Because these meetings were recorded, stored, access to over 50 managers and used to make decisions about employee employment, H&M violated the data minimization principle.
Telecom Italia was fined 27.8 million euros shortly after the new year by Garante. The fine was levied after several years of violations. TIM had a rather aggressive marketing campaign that included telemarketing and other unsolicited communications. Some of those contacted was on do not call and exclusion lists. Had the company created opt-ins for various marketing projects and honored exclusion lists, they could have avoided this hefty fine.
The ICO fined the airline carrier 22 million euros for a 2018 breach that put the data of 400,000 people in the hands of hackers. British Airways was said to have taken insufficient cybersecurity measures, leaving their customer’s data vulnerable.
20.4 million euros is nothing to sneeze at, but the ICO ordered Marriott to pay up after nearly 400 million guest records were exposed. Payment information and passport numbers were just some of the sensitive data exposed. Marriott’s fine is an example of how important it is to pay attention to the finer details of data protection protocol.
The tech giant was fined 7 million euros this year after getting slapped with a whopping 50 million euro fine in 2019. The Swedish Data Protection Authority of Sweden caught Google failing to remove some search results under Europe’s “right to be forgotten” rule after being told to remove them in 2017.
Businesses are most often fined for non-compliance. And as the world of e-commerce continues to grow and companies expand their reach, non-compliance fines will likely continue at an increasing rate for quite sometime before plateauing. Between 2019 and 2020 there was a 260% increase in the number of fines, and only 20% of companies in the USA, UK, and EU are GDPR compliant, and an even larger percentage hasn’t even started mapping out plans for becoming compliant. It is not likely that we will see any fewer fines doled out in 2021.