Yes, the GDPR has Teeth. Which Nations were the Most Fined?

The EU’s General Data Protection Regulation (GDPR) set new standards and boundaries in the data processing and protection space, both locally and globally. These days you better think twice about your current and future data practices to ensure your data procedures are legitimate and the safety of your customers’ Personal Identifiable Information (PII) is not compromised.

However, this does not apply to all of your existing or potential customers. The GDPR is only for those who reside in the European Union. This can include EU citizens, permanent or temporary residents. No matter who belongs to which category or member state, your obligation is to protect all of their data and to enable them to practice their rights as mandated by the GDPR.

The GDPR was put into force in mid-2018, and the first fines arrived not long after. To be clear, companies from all member states and those who have registered business operations within them need to establish the GDPR compliance, as well as those who only exchange products or services with the EU. Unfortunately, many companies have failed to comply and are now facing massive fines of millions of euros.

Within a year of its enactment there were 340 GDPR fines totaling €158,135,806! The first and the heftiest one came in early 2019. Observing these cases, EU and UK companies were mostly struggling with lawsuits due to inadequate privacy measures. Moreover, Privacy Affair’s GDPR Fines Tracker shows that every EU member state and the UK have issued at least one fine. However, some countries suffered more than others.

Let’s check out the scary GDPR penalties and learn from them!

1.The GDPR penalty structure

The EU legislation set a maximum fine of €20 million or 4% of a company’s global annual revenue, which is the worst fine scenario. For instance, the heftiest 4% fine to date was more than double €20 million. You will receive whichever infringement or fine is more costly.

However, not every data infringement leads to a GDPR fine. There are softer measures taken by the supervisory authorities that can issue reprimands and warnings, require restriction or deletion of customer personal data, or impose a permanent or temporary ban on data collection, transmission and storing. One of such legal bodies is the UK’s ICO (Information Commissioner’s Office), which can even suspend data transfers to third parties.

2. For what data practice can you be punished?

The GDPR is all about respecting consumers’ rights and guaranteeing the maximum cyber protection of their personal data. The first and foremost GDPR requirement is that you inform consumers of any action taken that is related to the use of their personal data. After you have provided such notice, they have a right to give their consent or to reject such actions. It is simple, you cannot collect, sell or share customer data without consent because that would be considered data misuse and you could face the GDPR litigation.

The moment you receive consumer consent, your data processing becomes completely legitimate and you can enjoy the benefits of having access to their personal data.

Thanks to the customer histories available on your CRM platform, it has never been easier to provide excellent customer service. The more happy customers you have, the higher chance to increase your revenue, right?

However, another business axiom is that with big gains come big responsibilities. Protecting customer and employee data is becoming more and more tricky as malicious attackers are using sophisticated tools to break companies’ security walls nowadays. Furthermore, when it comes to a company's cyber security, customer support is the weakest link. It is where the data collection happens yet the support department is the hardest to control.

EU officials recognized these cyber dangers and have mandated the implementation of advanced security tools and practices to help minimize the chance for a data breach. They haven’t named the exact tools, but having a customer support software, antivirus app, or private cloud-based company database is highly advised by both legal advisors and security experts.

This privacy law introduces a Data Protection Officer (DPO), an expert that will be responsible for GDPR compliance. It can be a person inside or outside the company. Regardless, this person needs to be completely objective in their estimations and entirely free of the company’s loyalties in order to avoid  compliance failure and massive GDPR fines.

3. The highest GDPR fines

At the beginning of the GDPR era, we not only heard the news about its implementation but we also heard about the highest GDPR fine to date! On May 25th and 28th in 2019, the French National Data Protection Commission (CNIL) received two group complaints regarding Google’s role in users’ data collection. One complaint was from the association known as None Of Your Business (NOYB), and another was from La Quadrature du Net (LQDN). The 10,000 people involved mandated that LQDN referred the matter to the CNIL. There were two separate complaints but the goal was the same: to examine Google’s data privacy practices.

CNIL's restricted committee took this subject seriously and soon imposed a rigorous measure. In January 2019, the French branch Google Inc faced the worst GDPR penalty to date, which amounted to €51,100,000! They were accused of mishandling consumer data in the fields of transparency, informing about data practices, and consent validity regarding ad personalization.

However, France is not alone on the list of the largest GDPR fines:

  • France: €51,100,000
  • Italy: €39,452,000
  • Germany: €26,492,925
  • Austria: €18,070,100
  • Sweden: €7,085,430
  • Spain: €3,306,771
  • Bulgaria: €3,238,850
  • Netherlands: €3,490,000
  • Poland: €1,162,648
  • Norway: €985,400

4. The country with the highest number of fines and its followers

With Google's catastrophic fine, France still holds first place on the GDPR fine board in terms of the financial burden. However, even though they lead in terms of the largest single GDPR fine, there weren’t so many other penalties in France as compared to other countries. In fact, it is not even in the top ten worst hit countries by the GDPR regulations. On this list, the first country is Spain with 99 fines so far, followed by Hungary with 32, and Romania with 29.

The complete top 10 list looks like this:

  • Spain: 99
  • Hungary: 32
  • Romania: 29
  • Germany: 28
  • Bulgaria: 21
  • Czech Republic: 13
  • Belgium: 12
  • Italy: 11
  • Norway: 9
  • Cyprus: 8

As you can see, Spain is in real GDPR trouble compared to the other 26 member states because it holds a place on both lists. Hungary has a significant number of data policy issues as well. The National Authority for Data Protection and Freedom of Information has issued 32 penalties so far. The largest penalty of €288,000 was issued to an Internet Service Provider (ISP) for inadequate and non-secure storage of its customers’ PII.

Even though there are only seven companies in the UK that faced GDPR fines, the future doesn’t look that bright. To date, the total sum of fines is  €640,000, with the average penalty amount of €160,000.

However, the potential massive fines on British Airways and the Marriott hotel chain are still under the review. The airline could face a fine of  €204,600,000 for a data breach that led to the exposure of 500,000 customers’ PII. Similarly, Marriott exposed 339 million records of sensitive information due to a data breach and is expecting a hefty fine of €110,390,200.

5. The GDPR fine breakdown per private individual

That’s right, individuals aren’t spared in the GDPR  battle.

Here is how a GDPR fine looks in an individual case:

  • Unlawful video surveillance of employees in Spain: €20,000
  • A soccer coach in Austria who was secretly filming female players in the shower room: €11,000
  • Another unlawful employee video surveillance in Spain: €9,000
  • A person in Germany who exposed over 130 email addresses by sending emails to several recipients: €2,500
  • A person in Austria for having unlawfully filmed public areas using a private CCTV system: €2,200

6. Best practices - How to comply with the GDPR?

You can hire an IT expert, a legal professional, and a DPO, but nothing will save you more time and money, or provide better security of your customer data, than a customer support software. Moreover, the software is an irreplaceable addition to your GDPR team’s efforts and ensures accuracy, compliance and customer happiness!