GDPR turns three: The biggest fines so far

More than 600 fines have been issued under the EU's data protection regulation since it came into force in 2018

The European Union's General Data Protection Regulation (GDPR) has now been in operation for three years

The legislation governs the way that organisations that operate in the EU can use, process and store consumers' personal data, replacing older data protection laws that were not adequate for the advancing use of technology and data collection.

Since its launch on 25 May 2018, there have been more than 600 fines issued by various data regulators around the continent, with penalties ranging from €111 million down to just €28. 

"GDPR has become ubiquitous and everyone seems aware of its existence even if, in my experience, they don't really understand what it means they should do," cloud lawyer and Wallace LLP law firm partner Frank Jennings told IT Pro. "Since data is the new commodity, this new caution around the handling of personal data, underpinned by the recent high fines against BA and Marriott, is a welcome development." 

British Airways currently holds the unwanted accolade of the biggest GDPR fine, having forked out €211.7 million for a data breach that the UK's Information Commissioner's Office (ICO) ruled as "negligent". Hackers managed to infiltrate the company's website with malicious code that redirected its users to a fraudulent site, enabling them to harvest around 500,000 customers' details. The dataset included login credentials, booking details, names, addresses and credit card information. 

Related Resource

The hot cloud storage guide to backup and recovery

What is cloud object storage, why is it on the rise, and what option should you choose?

Hot Cloud StorageDownload now

Similarly, hotel chain Marriott International was fined for a data breach that the ICO also said was its own fault as it didn't do enough to safeguard its systems. Worse, the firm was attacked in 2014 and only confirmed the breach four years later in 208, despite the fact that 300 million customers had their credit card details exposed, along with birth dates and passport numbers. A fine of €110.3 million was issued. 

The third-largest fine is the first to involve one of the major tech firms. Google was ordered by French data protection regulator CNIL to pay €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that users were not sufficiently informed about how Google had collected their data for personalised advertising. 

"The use of personal data will continue to be important as AI and the Internet of Things continue to take off and compliance will be tested," Jennings added.

"Also, while the UK has promised to adhere to GDPR standards to enable data transfers to continue after leaving the EU, there is the possibility the UK Supreme Court could reach a different decision on the same area as the European Court of Justice. And the EU Commission is finally about to update its model clauses for data transfers. Compliance with GDPR will always be there, just like health and safety compliance."

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022