GDPR turns three: The biggest fines so far

More than 600 fines have been issued under the EU's data protection regulation since it came into force in 2018

The European Union's General Data Protection Regulation (GDPR) has now been in operation for three years

The legislation governs the way that organisations that operate in the EU can use, process and store consumers' personal data, replacing older data protection laws that were not adequate for the advancing use of technology and data collection.

Since its launch on 25 May 2018, there have been more than 600 fines issued by various data regulators around the continent, with penalties ranging from €111 million down to just €28. 

"GDPR has become ubiquitous and everyone seems aware of its existence even if, in my experience, they don't really understand what it means they should do," cloud lawyer and Wallace LLP law firm partner Frank Jennings told IT Pro. "Since data is the new commodity, this new caution around the handling of personal data, underpinned by the recent high fines against BA and Marriott, is a welcome development." 

British Airways currently holds the unwanted accolade of the biggest GDPR fine, having forked out €211.7 million for a data breach that the UK's Information Commissioner's Office (ICO) ruled as "negligent". Hackers managed to infiltrate the company's website with malicious code that redirected its users to a fraudulent site, enabling them to harvest around 500,000 customers' details. The dataset included login credentials, booking details, names, addresses and credit card information. 

Related Resource

The hot cloud storage guide to backup and recovery

What is cloud object storage, why is it on the rise, and what option should you choose?

Hot Cloud StorageDownload now

Similarly, hotel chain Marriott International was fined for a data breach that the ICO also said was its own fault as it didn't do enough to safeguard its systems. Worse, the firm was attacked in 2014 and only confirmed the breach four years later in 208, despite the fact that 300 million customers had their credit card details exposed, along with birth dates and passport numbers. A fine of €110.3 million was issued. 

The third-largest fine is the first to involve one of the major tech firms. Google was ordered by French data protection regulator CNIL to pay €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that users were not sufficiently informed about how Google had collected their data for personalised advertising. 

"The use of personal data will continue to be important as AI and the Internet of Things continue to take off and compliance will be tested," Jennings added.

"Also, while the UK has promised to adhere to GDPR standards to enable data transfers to continue after leaving the EU, there is the possibility the UK Supreme Court could reach a different decision on the same area as the European Court of Justice. And the EU Commission is finally about to update its model clauses for data transfers. Compliance with GDPR will always be there, just like health and safety compliance."

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021
New study shows global privacy investments increasing
data protection

New study shows global privacy investments increasing

2 Jun 2021
Misconfigured cloud services exposed 100 million Android users' data
data breaches

Misconfigured cloud services exposed 100 million Android users' data

21 May 2021
Senators introduce a new bill to protect consumer data privacy
data protection

Senators introduce a new bill to protect consumer data privacy

20 May 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021