GDPR has now been in effect for two years. During this time, data protection authorities across Europe have imposed fines on organisations for non-compliance. The DPC issued the first fine to Tusla recently. Some of the more notable fines are listed below.
The GDPR has increased accountability and has resulted in greater awareness of data protection issues across Europe. There are many reasons for this, including potential fines and reputational risks, new enforcement powers, Data Protection Officer requirements and the public debate that has surrounded GDPR’s adoption.
The threat of strong enforcement has resulted in further investment in data protection compliance across industry. There has been an increased uptake of comprehensive data protection management programmes, with organisations revisiting existing programmes to ensure they are up to date.
Tusla becomes first organisation in Ireland fined by DPC for unauthorised disclosure of information
The child and family agency, Tusla, has become the first organisation in Ireland to be fined by the Data Protection Commission under GDPR. The agency was fined €75,000.
The breaches related to three separate incidents where information about children was wrongly disclosed by Tusla to unauthorised parties. In one incident, the contact and location information of a mother and a child were disclosed to an alleged offender, and in the two other incidents, information about children in foster care was improperly disclosed to relatives, including to a father in prison.
UK ICO to fine Marriott £99m (€110m) for data breaches
Hackers accessed Marriott’s systems repeatedly between 2014 and 2018 to steal the personal and financial details of up to 500 million customers.
The ICO said Marriott had failed to undertake sufficient due diligence and should have done more to make sure its IT systems were secure.
The fine has been deferred to later in 2020 pending further investigations.
France’s CNIL fines Google €50m for lack of transparency and consent
Google was accused of hiding its data usage policies, particularly regarding to ad personalisation, across several documents and users would have to click 5 or 6 times to access these documents.
Consent was not collected in a “specific” or “unambiguous” way, as users creating a Google account were only asked to agree to terms of service instead of agreeing in particular to ad personalisation, for example.
Spain’s AEPD fined LaLiga €250,000 for app’s spy mode to detect streaming licenses in pubs
The LaLiga app allows users to access minute-by-minute commentary of football matches. However, without the explicit permission of users, it used the microphone and GPS of fans’ phones to record their surroundings in a bid to identify bars which are unofficially streaming games instead of coughing up for broadcasting rights.
UK ICO fines British Airways £183m (€203m) for poor data protection
Hackers harvested details including login, payment card, name, address and travel booking information of over 500,000 customers after diverted them from the British Airways website and app to a fraudulent website over a sustained period of time.
The fine is equivalent to 1.5% of British Airway’s global turnover. It has also been deferred to later in 2020.
What do I need to know about GDPR?
GDPR is a sizeable directive, with three times as many articles and five times as much volume in compared with previous data protection law. Here are some of the big changes:
- Fines for non-compliance can reach up to €20,000,000 or 4% of an organisation’s global turnover
- Consent can no longer be implied: it must be “freely given, specific, informed and unambiguous”
- Maintaining and enforcing your own organisation’s policies is now a legal requirement under the GDPR
- Privacy by design will be a standard in information management systems
- Changes to the rules about which companies must employ Data Protection Officers
What do I need to do?
GDPR has been in effect for over two years, so the best time to ensure your organisation complies with the law is right now.
We offer a range of training courses from staff awareness training all the way up to certification for Data Protection Officers. We can also offer you a GDPR Readiness Audit to help you start the roadmap to compliancy.
Our next upcoming courses are:
European Certified Data Protection Officer 6-8 day programme, running online. Courses scheduled throughout the year.
Certified Data Protection Practitioner 3 day course, running online from 20 July.