25th of May 2018 – the effective date of GDPR, a date to which each organisation, falling into the scope of the regulation, needed to implement specific policies and procedures in accordance with the GDPR requirements.
Here is what we noticed during this first year:
During the first few months after the GDPR came into effect, the DPAs started with exploratory investigations by offering recommendations and guidance to companies. However, the practice of the DPAs has changed since then.
During this first year of GDPR, numerous fines were imposed in different states across Europe. All types of business were affected – high profile fines against Internet giants, but also smaller organisations illustrating how seriously breaches are being treated by DPAs across Europe.
One year in numbers
Since the GDPR’s effective date, the European Commission has demonstrated strict following of the implemented changes. The fines over the last year total in over €56 million hitting 91 companies, including €50 million against a single organisation. though still a significant amount, none of the imposed fines reached the full 4% of companies’ total global revenue as it was widely proclaimed.
The approach undertaking by the commission seems to show that the main goal is not enforcing unbearable fines and putting companies out of business, but more to “slap” the guilty organisations and give them a chance to fix the issues. Is this approach is going to change, most likely – yes.
The first GDPR fines
Nowadays, the Commission seems to reward good behaviour as much as punishing bad behaviour. A perfect example of this is the first company to be fined under the GDPR, a German social media platform called Knuddels. On first glance, the offense seems to be a major one, a data breach that compromised the email addresses and passwords of 330,000 users. Yet the fine was relatively small, only €20,000, compared to what Knuddels could have been charged with. The commission noted that the company proactively and quickly notified the German data protection authorities and customers. They also worked quickly to implement the security procedures that were recommended to address the breach.
In contrast, another data breach that occurred during this first year, the one in Portugal, led to the commission’s severe response. The case regarded the multiple breaches by Centro Hospitalar Barreiro Montijo, a hospital in Portugal. They were fined €400,000 and didn’t even technically have a breach. It was perceived, though, that they ignored one of the core concepts of the GDPR, which is security by design and by default. The hospital allowed indiscriminate access to patient records by an excessive number of users – there were 985 profiles with the access level of a doctor, but there were only 296 doctors in the hospital. To make matters worse, all doctors could see all patient records – even records of other doctors’ patients.
The Commission’s reaction was so severe that we could conclude that they felt these and other actions of the hospital demonstrated a conscious violation of the GDPR. Although the hospital did take steps to correct the issue once identified, it appeared they were essentially ignoring the GDPR until someone came knocking on their door. The result was a €400,000 fine. Still, the amount could’ve been much bigger.
Another significant fine was issued by the Polish DPA. The amount of the fine was €220,000 fine issued to a Polish company, at the end of March for failing to inform individuals that their data would be processed. This was the first fine issued by the Polish Personal Data Protection Office.
Read More: Polish DPA Issues first GDPR Fine
The Dutch DPA has quite an interesting record as they sanctioned the country’s tax authorities for using the national identification number as part of the VAT return number for self-employed persons. According to the DPA, the use of the national identification number for this purpose has no legal ground and increases the risk of identity fraud. As a result, since 1 of January 2020, the processing of the national identification number for VAT purposes will be prohibited.
In Malta, the DPA imposed a similar, but temporary, sanction on the country’s national land register while it investigated how the authority has been processing a data breach. The end result was that no data can be compromised while investigations take place, something we may well see more of in terms of temporary processing bans being implemented in other countries.
Largest fine under GDPR
The largest GDPR fine to date was against Google. The reason for that is, according to the Commission, the fact that the ordinary people were “not sufficiently informed” how Google collected and used their data. The commission indicated that Google did not gain proper consent to collect data and use it. Google’s European headquarters are in Ireland, but the French privacy watchdog had no problem levying the €50 million fine on a company from a completely different country.
The first year of GDPR shows us that many organisations have issues with the rightful way of processing personal data. It further proves to us that the hefty fines, prescribed by the GDPR, don’t aim to make businesses and companies bankrupt, but in fact aim to protect the natural, physical persons’ personal data.