Companies are far more likely to fall foul of GDPR for dodgy data processing than for any other issue, with this misdemeanor accounting for seven of the top ten biggest fines – and nearly 40% of the total of €235.6m (£212.6m) in penalties – issued since the regulation came into force across Europe in May 2018.
Following an analysis of data provided by the CMS.Law GDPR Enforcement Tracker, Decision Marketing can reveal that of the 429 fines which have been levied so far, 170 have been for “insufficient legal basis for data processing”.
The law provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
The biggest culprit so far is Google, which was whacked with a €50m (£45m) penalty by the French regulator CNIL in January 2019 for failing to provide transparent and easily accessible information on its consent policies.
Meanwhile, the Germans recently battered Swedish retail group H&M with a €35m (£31.9m) penalty for leaking confidential files, and the Italians have hit telecoms operator TIM for €27.8m (£25m) and two utilities – Wind Tre €16.7m (£15.1m) and Eni Gas & Luce €8.5m (£7.7m) – with Austrian Post forced to cough up €18m (£16.3m).
The next category, which accounts for 89 fines, is for breaches of information security, or as the regulation would have it: “insufficient technical and organisational measures to ensure information security”.
British Airways came a cropper on this issue in July 2019, although the UK Information Commissioner’s Office has only this month settled on a £20m penalty – a 90% reduction on the proposed fine of £183m. In addition, German firm 1&1 Telecom was hit for €9.5m (£8.4m) in December 2019, Bulgaria’s National Revenue Agency got a €2.6m (£2.34m) penalty in September 2019 and German health insurance company AOK had to cough up €1.2m (£1.1m) in June this year.
In third place are issues such as data retention and deletion procedures, included in the “non-compliance with general data processing principles”. There have been 69 fines in this category, including a €14.5m (£13.1m) penalty against German estate agent Deutsche Wohnen SE.
Finally, there have been 46 fines against firms which have failed to fulfil data subjects’ rights, with Google once again being the biggest perpetrator, receiving a €7m (£6.3m) penalty in Sweden for not removing consumers who had requested their right to be forgotten.
Decision Marketing publishing editor Charlie McKelvey said: “Believe everything you read and you might be forgiven for thinking that data security breaches are the biggest threat to businesses under GDPR. However, scratch under the surface and it is dodgy data processing practices which are giving companies the most grief.
“Of course, hackers are a constant threat but firms need to look closer to home, too; never has there been a greater need to carry out due diligence across your entire data operations.”
BA ‘humiliates’ ICO by slashing £183m fine to £20m
GDPR fine calculator ‘makes Rubik’s Cube look simple’
Germans issue 27th GDPR fine as H&M is hit for €35m
Marriott faces data loss claim – will it open floodgates?
Google hit for €50m as French issue first GDPR fine
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott