GDPR turns three: The biggest fines so far

More than 600 fines have been issued under the EU's data protection regulation since it came into force in 2018

The European Union's General Data Protection Regulation (GDPR) has now been in operation for three years

The legislation governs the way that organisations that operate in the EU can use, process and store consumers' personal data, replacing older data protection laws that were not adequate for the advancing use of technology and data collection.

Since its launch on 25 May 2018, there have been more than 600 fines issued by various data regulators around the continent, with penalties ranging from €111 million down to just €28. 

"GDPR has become ubiquitous and everyone seems aware of its existence even if, in my experience, they don't really understand what it means they should do," cloud lawyer and Wallace LLP law firm partner Frank Jennings told IT Pro. "Since data is the new commodity, this new caution around the handling of personal data, underpinned by the recent high fines against BA and Marriott, is a welcome development." 

British Airways currently holds the unwanted accolade of the biggest GDPR fine, having forked out €211.7 million for a data breach that the UK's Information Commissioner's Office (ICO) ruled as "negligent". Hackers managed to infiltrate the company's website with malicious code that redirected its users to a fraudulent site, enabling them to harvest around 500,000 customers' details. The dataset included login credentials, booking details, names, addresses and credit card information. 

Related Resource

The hot cloud storage guide to backup and recovery

What is cloud object storage, why is it on the rise, and what option should you choose?

Hot Cloud StorageDownload now

Similarly, hotel chain Marriott International was fined for a data breach that the ICO also said was its own fault as it didn't do enough to safeguard its systems. Worse, the firm was attacked in 2014 and only confirmed the breach four years later in 208, despite the fact that 300 million customers had their credit card details exposed, along with birth dates and passport numbers. A fine of €110.3 million was issued. 

The third-largest fine is the first to involve one of the major tech firms. Google was ordered by French data protection regulator CNIL to pay €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that users were not sufficiently informed about how Google had collected their data for personalised advertising. 

"The use of personal data will continue to be important as AI and the Internet of Things continue to take off and compliance will be tested," Jennings added.

"Also, while the UK has promised to adhere to GDPR standards to enable data transfers to continue after leaving the EU, there is the possibility the UK Supreme Court could reach a different decision on the same area as the European Court of Justice. And the EU Commission is finally about to update its model clauses for data transfers. Compliance with GDPR will always be there, just like health and safety compliance."

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021
New study shows global privacy investments increasing
data protection

New study shows global privacy investments increasing

2 Jun 2021

Most Popular

Best paying tech jobs of 2021
Careers & training

Best paying tech jobs of 2021

7 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Mythic launches power-sipping AI chip
Hardware

Mythic launches power-sipping AI chip

8 Jun 2021