The General Data Protection Regulation (“GDPR”) first created headlines when businesses were still scrambling to update their data protection concepts ahead of the GDPR coming into force on 25 May 2018. Initially, the EU data protection authorities (“DPAs”) were more lenient and tended towards giving advice rather than handing down fines. However, both the number of fines and their amount have increased significantly over time.
Recently, a number of particularly high fines have once again garnered a lot of media attention. But what kind of violations attract such heavy penalties and which business sectors are under intense scrutiny by the DPAs? To look into the DPAs’ fining activities in more detail and provide answers to these questions, the GDPR Enforcement Tracker
Report analyses the fines based, inter alia, on the type of violation, the country and the relevant business sector. The analysis is based on the publicly available data on fines that CMS collects and compiles at hier.
Most Common Legal Basis for Fines and Most Affected Sectors
The analysis revealed two predominant groups of GDPR violations which led to both the highest number and the largest amounts of fines: insufficient legal basis for data processing (Articles 5 and 6 GDPR) and insufficient technical and organisational measures to ensure information security (Article 32 GDPR). This holds true for all business sectors.
A recent example for a fine based on insufficient data security is the GBP 20 million penalty imposed on British Airways by the UK’s DPA. The ICO (Information Commissioner’s Office) fined British Airways for failure to take adequate IT security measures to prevent a cyber attack affecting more than 400,000 customers.
Regarding business sectors, DPAs appear to focus a lot on businesses in the media, telecoms and broadcasting sector, while also imposing high fines on companies operating in the transportation and energy sectors.
Ensuring a Sufficient Legal Basis
To avoid being fined for not having a sufficient legal basis for data processing, companies should ensure that the data they collect and use is actually necessary, e.g. for the fulfilment of a contract. Additionally, they should ascertain that any declarations of consent are valid for the respective purpose, e.g. for marketing communications. In case that companies want to rely on their legitimate interests as a legal basis, they need to thoroughly assess whether the company’s interests outweigh the individual’s interest.
Bolstering Data Security
The risk of being fined for lacking data security can be significantly reduced by introducing and maintaining state-of-the-art technical and organisational security measures. Primarily, this includes the implementation of industry standards such as ISO/IEC 27001. However, this is not a “one-off exercise” as data security measures should be reviewed and adjusted regularly.
In addition, businesses should hold training sessions on GDPR requirements for their employees. Regarding their products and services as well as internal business processes, companies should take into account the “privacy by design” and “privacy by default” principles.
This means that companies should consider data protection aspects whenever possible.
Dealing with a Data Breach
Unfortunately, even a wide range of data security measures may not entirely prevent data breaches. In many cases where data breaches occur, companies are legally required to report it to regulators and/or affected individuals. It is critical for businesses to react promptly and take immediate action. Otherwise, they could be faced with tougher fines and greater reputational damage.
However, many companies fail to act quickly enough once a data breach has been discovered. This is underlined by an unnecessarily high number of GDPR fines issued due to non-compliance with breach notification obligations. In order to equip businesses with ready-to-access guidance on how to deal with a data breach, CMS developed the Breach Assistant app. The Breach Assistant not only guides users through interactive data breach response checklists, but also provides detailed sector-specific guidance. Furthermore, the Breach Assistant covers more than 70 jurisdictions, thus reducing complexity for international businesses.
Factors Determining the Amounts of Fines
When imposing a fine, DPAs have to consider multiple different factors in each individual case. These factors have also been reflected in the DPAs’ justifications collected at the enforcement tracker. By way of example, the ICO explained in its statement regarding the British Airways fine that, in particular, the large amount of affected customers as well as the fact that the cyber attack went on unnoticed for several months until it was brought to British Airways’ attention by a third part led to the harsh fine. Additionally, British Airways should have used numerous measures such as multi-factor authentication to reduce or prevent the risk of such an attack, none of which would have entailed excessive cost or technical barriers.
Other factors include the nature of the data involved as well as whether the infringement was intentional or caused by negligence. In October 2020 for instance, the Hamburg DPA imposed the highest fine to date in Germany in the amount of EUR 35 million on H&M, partially due to the particularly sensitive data involved which included employees’ health data and religious beliefs, but also because the data was collected intentionally by the management and used to make employment decisions.
However, there are also various options at companies’ disposal which may noticeably reduce the amount of a fine. First of all, it can be advantageous to promptly notify the relevant DPAs and other regulatory authorities rather than waiting until a third party brings the infringement to the authorities’ attention. Additionally, collaborating closely with the DPAs and taking their advice on measures to implement may pay off significantly. Besides, DPAs might also view it favourably if a company apologizes to the affected individuals and offers them adequate compensation as it was highlighted in the Hamburg DPA’s decision against H&M.
Although a business’ economic situation in general and its annual turnover are certainly also taken into account by the DPAs, businesses should not expect too much leniency from the DPAs’ due to the economic impact of COVID-19 as recent fines have shown.
The DPAs’ GDPR enforcement activities show that businesses should particularly pay attention to relying on sufficient legal bases for all processing operations, but also to bolster their data security measures. Additionally, they should keep in mind that data protection concepts are not something to put away somewhere to collect dust, but instead concepts must be tested and overhauled regularly.
Furthermore, companies should be mindful of potential data breaches and be prepared to immediately take the necessary actions. A breach caused by a cyber attack has become even more likely, as cyber attacks have increased through the COVID-19 pandemic.
Editor`s note: The GDPR Enforcement Tracker Report by international law firm CMS provides valuable insights into the data protection authorities’ fining activities under the General Data Protection Regulation. It sheds light on what type of infringements triggered the harshest fines and which business sectors have been affected the most.