GDPR turns three: The biggest fines so far

More than 600 fines have been issued under the EU's data protection regulation since it came into force in 2018

The European Union's General Data Protection Regulation (GDPR) has now been in operation for three years

The legislation governs the way that organisations that operate in the EU can use, process and store consumers' personal data, replacing older data protection laws that were not adequate for the advancing use of technology and data collection.

Since its launch on 25 May 2018, there have been more than 600 fines issued by various data regulators around the continent, with penalties ranging from €111 million down to just €28. 

"GDPR has become ubiquitous and everyone seems aware of its existence even if, in my experience, they don't really understand what it means they should do," cloud lawyer and Wallace LLP law firm partner Frank Jennings told IT Pro. "Since data is the new commodity, this new caution around the handling of personal data, underpinned by the recent high fines against BA and Marriott, is a welcome development." 

British Airways currently holds the unwanted accolade of the biggest GDPR fine, having forked out €211.7 million for a data breach that the UK's Information Commissioner's Office (ICO) ruled as "negligent". Hackers managed to infiltrate the company's website with malicious code that redirected its users to a fraudulent site, enabling them to harvest around 500,000 customers' details. The dataset included login credentials, booking details, names, addresses and credit card information. 

Related Resource

The hot cloud storage guide to backup and recovery

What is cloud object storage, why is it on the rise, and what option should you choose?

Hot Cloud StorageDownload now

Similarly, hotel chain Marriott International was fined for a data breach that the ICO also said was its own fault as it didn't do enough to safeguard its systems. Worse, the firm was attacked in 2014 and only confirmed the breach four years later in 208, despite the fact that 300 million customers had their credit card details exposed, along with birth dates and passport numbers. A fine of €110.3 million was issued. 

The third-largest fine is the first to involve one of the major tech firms. Google was ordered by French data protection regulator CNIL to pay €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that users were not sufficiently informed about how Google had collected their data for personalised advertising. 

"The use of personal data will continue to be important as AI and the Internet of Things continue to take off and compliance will be tested," Jennings added.

"Also, while the UK has promised to adhere to GDPR standards to enable data transfers to continue after leaving the EU, there is the possibility the UK Supreme Court could reach a different decision on the same area as the European Court of Justice. And the EU Commission is finally about to update its model clauses for data transfers. Compliance with GDPR will always be there, just like health and safety compliance."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021