IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GDPR turns three: The biggest fines so far

More than 600 fines have been issued under the EU's data protection regulation since it came into force in 2018

The European Union's General Data Protection Regulation (GDPR) has now been in operation for three years

The legislation governs the way that organisations that operate in the EU can use, process and store consumers' personal data, replacing older data protection laws that were not adequate for the advancing use of technology and data collection.

Since its launch on 25 May 2018, there have been more than 600 fines issued by various data regulators around the continent, with penalties ranging from €111 million down to just €28. 

"GDPR has become ubiquitous and everyone seems aware of its existence even if, in my experience, they don't really understand what it means they should do," cloud lawyer and Wallace LLP law firm partner Frank Jennings told IT Pro. "Since data is the new commodity, this new caution around the handling of personal data, underpinned by the recent high fines against BA and Marriott, is a welcome development." 

British Airways currently holds the unwanted accolade of the biggest GDPR fine, having forked out €211.7 million for a data breach that the UK's Information Commissioner's Office (ICO) ruled as "negligent". Hackers managed to infiltrate the company's website with malicious code that redirected its users to a fraudulent site, enabling them to harvest around 500,000 customers' details. The dataset included login credentials, booking details, names, addresses and credit card information. 

Related Resource

The hot cloud storage guide to backup and recovery

What is cloud object storage, why is it on the rise, and what option should you choose?

Hot Cloud StorageDownload now

Similarly, hotel chain Marriott International was fined for a data breach that the ICO also said was its own fault as it didn't do enough to safeguard its systems. Worse, the firm was attacked in 2014 and only confirmed the breach four years later in 208, despite the fact that 300 million customers had their credit card details exposed, along with birth dates and passport numbers. A fine of €110.3 million was issued. 

The third-largest fine is the first to involve one of the major tech firms. Google was ordered by French data protection regulator CNIL to pay €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that users were not sufficiently informed about how Google had collected their data for personalised advertising. 

"The use of personal data will continue to be important as AI and the Internet of Things continue to take off and compliance will be tested," Jennings added.

"Also, while the UK has promised to adhere to GDPR standards to enable data transfers to continue after leaving the EU, there is the possibility the UK Supreme Court could reach a different decision on the same area as the European Court of Justice. And the EU Commission is finally about to update its model clauses for data transfers. Compliance with GDPR will always be there, just like health and safety compliance."

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022