The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. GDPR’s reach is global, and in the four years that it’s been in force, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.
Any company that offers goods or services to anyone in the EU is required to comply with GDPR, and any employee who collects, processes or stores data as part of their responsibilities, needs to be trained in data protection rules and regulations, including business owners, directors, managers, supervisors, staff and contractors.
But now it’s been over four years since GDPR came into force and some might be asking if it’s still relevant, and why they should still care.
Biggest fines for the first half of 2022
Although we’re only halfway through 2022, we’ve seen some massive fines and penalties already for GDPR violations. What were some of the biggest fines so far in 2022 and what can we learn from them?
Enel Energia: €26.5m
Enel Energia, an international electricity and gas company based in Italy, was slapped with a €26.5 Million ($29.27 Million) fine, the biggest of the year so far. Italy’s data protection agency, the Garante, penalized the company with this fine after receiving hundreds of complaints against the company. The investigation found that Enel Energia was using its customers’ personal data unlawfully. The company used their private data to carry out telemarketing calls without getting user consent and without telling users how their data would be used.
Besides the fine, Garante ordered the Enel company to implement measures to comply with GDPR going forward and the company also made a commitment to implement “further technical and organisational measures to handle data subjects’ requests to exercise their rights”. Additionally, they committed to informing Garante what steps they’ve taken to comply.
Clearview AI: €9m
The controversial facial recognition company Clearview AI was slapped with a €9m fine and told to delete the data of its UK residents. The ICO’s investigation concluded that Clearview AI Inc. doesn’t have a lawful reason for collecting personal data, nor a process in place to stop data from being retained indefinitely and also fails to meet the higher data protection standards required for biometric data.
France, Italy, and Australia had previously taken enforcement against the firm. When Italy imposed a fine on the company, Clearview hit back by saying it did not operate under the jurisdiction of GDPR. They may try to argue the same now, as they have no operations in the UK. However, it’s unclear whether their appeal will be successful.
REWE International: €8m
The Austrian food retailer REWE International was fined €8 by the Austrian Data Protection Authority for mismanaging the data of users that took part in its loyalty member program. The program, called the jö Bonus Club, collected user data without consent and used it for marketing purposes. The company is trying to appeal the fine, arguing that the Club is a subsidiary company that operates independently from REWE, so the jö Bonus Club should be fined directly. This could lead to a reduction of the amount of the fine as GDPR penalties are set according to the fined organisation’s revenue. However, it’s unclear whether the appeal will succeed.
Cosmote Mobile Telecommunications: €6m
The Hellenic Data protection authority fined Greek mobile phone operator Cosmote Mobile Telecommunications €6m. There were two reasons behind the fine. Firstly, customers’ private information was exposed due to a hack that led to a data breach in September 2020. Secondly, since the company was actually illegally processing customer data, the September hack exposed significantly more data than it would have otherwise. In addition, the private data was not completely pseudonymised, which made it easier for hackers to identify individuals.
OTE Group: €3.25m
Cosmote’s parent company OTE Group was also fined in connection with the Cosmote fine. The HDPA found that the parent group was partially responsible for the hack, as the hacker used an OTE Group administrator password to enter Cosmote’s systems. Therefore, the HDPA fined OTE for failing to properly secure their data systems.
What can we learn from these fines?
- After four years of being in place, GDPR enforcement is not going away; if anything, it’s getting stronger and fines are getting bigger as organisations by this point are expected to have processes in place for keeping and enforcing the regulations.
- GDPR has a global reach, and your organisation could be found liable and fined no matter where in the world you are located.
- Many different types of organisations in a wide variety of industries, from food to telecommunications to tech, as well as government agencies and hospitals, have been targeted and fined thousands, millions, and even tens of millions of euros.
What are the most important steps organisations can take to avoid breaches and fines?
We are now in an era of hybrid working, and one where consumers are demanding a higher level of transparency, which only complicates GDPR compliance. Experts have predicted that it’s only the beginning: analysts in the privacy and regulatory spaces think that regulators have only just begun, and as an increasing number of people begin exercising their privacy rights, we’ll see more big cases and fines coming. Therefore, it’s more important than ever to ensure all staff members have the latest training and understanding of data protection.
Training is one of the key measures a company can take to ensure that staff comply with the regulation. A one-off generic course is not enough: training should be relevant and speak to each user’s unique role and responsibilities, and guidelines and best practice guidance should be kept current in staff’s minds with regular refresher training.
VinciWorks’ GDPR compliance solution is a one-stop shop for complete company-wide compliance. Our suite of GDPR courses ensures that all staff are trained via interactive, customisable courses. Whether staff are well–versed in GDPR or require in-depth onboarding training, we have you covered.
Even with the very best training, it’s possible that a breach will occur. A transparent reporting process will help companies identify data breaches, mitigate the risks and take any action required to ensure a data breach doesn’t happen again. According to GDPR best practice, any data breach, whether reportable to the authorities or not, should be documented. In situations where the authorities decide to carry out a thorough investigation of a GDPR breach, you’ll want to be able to provide as many details as possible. This will not only help you remember exactly what happened but it can also be used as proof that your company did everything required once the breach was discovered, which in some cases, can mitigate penalties and lower fines.
VinciWorks has built a best-practice reporting solution that allows staff to easily and efficiently report any data breaches or concerns.
All responses that require immediate action can be flagged, allowing data protection officers to easily monitor whether the breach has fully been resolved. Forms can easily be built and customised to request information relating specifically to the organisation and industry.