Services List
In our previous discussion, we looked at how far we've come since the implementation of the General Data Protection Regulation, set by the European Union, effective May 2018. In this section, we uncover how costly non-compliance to this worldwide benchmark for data privacy has been for some organisations. We also look at what to expect in terms of new developments and amendments to the Regulations going forward into 2024.
Covered in this Article
The Implications of Non-Compliance
GDPR Enforcement
Planned Amendments for 2024
Ongoing Evolution
The Implications of Non-Compliance
We previously considered the benefits and challenges posed to businesses by the implementation of the GDPR. Since the implementation of the GDPR in May 2018, several landmark cases have shown the cost of non-compliance. If you are a big corporate with billions to spare, this may not really seem to be such a major deal. But consider an SME, with already limited resources, being fined for non-compliance with the requirements of the GDPR - it could mean the end of the road for them. Costs also include more than the monetary fines and penalties - there is also the reputational risk to contend with. In our analysis below we have only listed the value of the fines imposed by the various Data Protection Authorities (DPAs).
Let’s look at some of the cases where significant fines and penalties for non-compliance have been incurred:
| Date |
Details |
Value of Fine |
Violation |
| January 2019 |
Google is fined by the French data protection authority (CNIL in France). |
€50 million |
Lack of transparency and valid consent regarding personalised advertising. |
| January 2020 |
TIM (Telecom Italia) is fined by Italy’s data protection authority, Granate. |
€27.8 million |
Unlawful data processing, aggressive marketing practices and invalid consent. |
| October 2020 |
British Airways is fined by the UK’s Information Commissioner’s Office (ICO). |
£20 million |
Failure to protect personal data resulted in a data breach from a cyber-attack in 2018, affecting the personal data of around 400 000 customers. |
| October 2020 |
H&M is fined by the German data protection authority, HmbBfDI. |
More than €35 million |
Illegal surveillance of employees through collecting excessive personal information about employees at its Nuremberg service center, including private details about their personal lives. |
| July 2021 |
Amazon is fined by Luxemborg’s National Commission for Data Protection (CNPD) |
A whopping €746 million |
Non-compliance with GDPR's processing of personal data. |
| September 2021 |
WhatsApp is fined by the Data Protection Commission of Ireland for lack of transparency. |
€225 million |
Failing to provide clear information to users about how their data was shared with parent company Facebook. |
| September 2022 |
Meta is fined by the Data Protection Commission of Ireland for lack of transparency. |
€405 million |
Failing to protect children’s privacy through the publication of email addresses and phone numbers on Instagram. |
| May 2023 |
Meta is again fined by the Data Protection Commission of Ireland for lack of transparency. |
€1.2 billion |
The transfer of personal data of European users to the United States without adequate data protection mechanisms. |
These landmark cases demonstrate the seriousness with which regulatory authorities are enforcing GDPR compliance and the significant financial risks for businesses that fail to comply. They also highlight the complex and multi-faceted nature of GDPR compliance, encompassing issues ranging from data security to transparency and consent. The fine levied on Meta in May 2023 surpasses all others and is a clear warning to other businesses that the GDPR’s requirements are not to be viewed as trivial.
GDPR Enforcement
The fines levied under GDPR, through a two-tier fine structure, for instances of non-compliance, are designed to make any departures from data security a costly mistake. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher.
According to Statista, data protection fines have reached record highs in 2023. With 151 violations in 2019, fines issued amounted to a total of €73 million. Five years later and 154 fines have been imposed to the value of €1 623 million. A clear spike in violations during 2021 is evidenced in the graph below.
The drastic increase in the number of fines and value of such levied in recent years reflects a growing lack of consent and transparency - a cause for concern when it comes to protecting individuals' rights as far as their data is concerned. It is, however, reassuring to see that European Regulators are actively enforcing the law.
Planned amendments for 2024
At present the GDPR is enforced by independent national Data Protection Authorities (DPAs), as well as national courts in member countries. In cases involving processing or where multiple data subjects in more than one member state are affected, the DPA in the area where the entity is under investigation takes the lead. Other DPAs then cooperate with the lead DPA.
Going forward the European Commission has proposed some changes to rules in order to promote cooperation, and harmonisation between all parties involved and assist in the timely completion of investigations and resolution for affected individuals.
Streamlining cooperation
The purpose of the amendment is to provide tangible procedural rules for authorities when applying the GPDR in situations that affect individuals located in more than one member state.
For example, the lead Data Protection Authority will be required to send a “summary of key issues” to its counterparts, identifying the main elements of the investigation and its opinion of the case. Other authorities will be able to provide their views on the matter early on, helping to reduce disagreements and foster consensus from the initial stages of the investigation.
Implications for individuals
Individuals will be informed of what they need to submit when making a complaint. In addition, DPAs will ensure the appropriate involvement of the individuals throughout the process. The new rules also establish common rights for complainants to be heard in cases where their complaints are fully or partially rejected.
Implications for businesses
Businesses (both controllers and processors) will be informed of their due process rights when a DPA investigates a potential breach of the GDPR. Those being investigated have the right to be heard at specific stages during the investigation. Provision is also made for dispute resolution between parties by the European Data Protection Board.
Ongoing evolution
By harmonising the procedures followed in respect of the GDPR compliance enforcement process, the focus forward is on supporting the timely completion of investigations and the delivery of swift corrective actions for individuals.
Based on the outcomes of the past five years and the planned amendments for 2024 onwards, it is clear that the GDPR is continuously evolving. It is therefore vital for businesses to stay informed and adapt to the changing regulatory landscape.
Quick Lists
Services List
Subscribe
The Psychology Behind Conversions
Explore the psychology of CRO in our FREE e-book to boost conversions and profits by understanding customer behaviour and decision-making factors.
