It has almost been a full year since compliance with the EU’s General Data Protection Regulation (GDPR) has been mandatory, yet many companies are still not fully complying with GDPR requirements and are risking severe financial penalties.
The past 12 months have seen several fines issued for non-compliance, but the number of fines issued has also been much lower than expected, especially for data breaches. In the past year, only a quarter of a percent of reported data breaches have resulted in a GDPR fine, according to figures from Digi.me.
Part of the reason may be due to supervisory authorities having a huge backlog of cases to investigate. 11,468 data breaches have been reported in the United Kingdom for example, and there have been 37,798 complaints filed by consumers. Investigating those breaches and complaints takes time. It has also been suggested that businesses are over-reporting breaches, which just adds to the backlog of cases to investigate.
Some supervisory authorities have started taking action over GDPR violations in recent weeks. The first GDPR fine was issued in Italy by Garante over the failure of the Rousseau Association to implement appropriate security measures. The Rousseau Association was issued with a fine of €50,000.
The supervisory authorities in Poland and Denmark also recently issued their first fines. In Denmark, a Taxi company, Taxa 4×35, was issued with a GDPR fine by Datatilsynet and was ordered to pay $180,000. The fine was issued for a violation of the GDPR’s data minimization principle. The Taxi company had deleted data subjects’ data after 2 years but retained their phone numbers.
In Poland, the digital marketing company Bisnode was fined €220,000 for failing to fulfil Article 14 requirements concerning data subjects’ rights. Data subjects were not given the option to restrict further data processing, to request changes to their data, or to exercise their right to erasure.
While some data breaches and GDPR violations have resulted in financial penalties, the fines have been relatively low. There have been some sizable financial penalties, but they have been nowhere near the maximum of €20 million or 4% of global annual turnover which are possible under GDPR.
The largest fine was issued in January by the French supervisory authority. Google was ordered to pay €50 million for failing to obtain a legal basis for data processing and for a lack of transparency. The fine was certainly large but it fell well short of the 4% of global annual turnover maximum.
More large GDPR fines for noncompliance can be expected in 2019. According to the supervisory authorities in Ireland and the United Kingdom, they will be issuing large financial penalties to companies in 2019. Both supervisory authorities have been investigating data breaches and privacy violations and will be taking action against the companies concerned. The cases have been complex, and it has taken time to investigate and gather evidence, but they are almost concluded. The financial penalties will be announced in the next few months.