You read that right: GDPR enforcement is on fire! While fines are not always particularly high, our analysis shows that, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are also emerging:
- DPAs have levied 190 fines and penalties to date. With 43 enforcement decisions made so far, Spain leads the pack as Europe’s most active regulator, followed by Romania (21) and Germany (18). The UK has imposed the highest total amount of fines — more than €315 million — if both British Airways’ and Marriott’s fines are upheld after appeal. Following are France’s Commission Nationale de l’Informatique et des Libertés, with just over €51 million in fines, and Germany’s DPA, at nearly €25 million.
- Failures of data governance — not security — trigger the most fines and penalties. DPAs have primarily acted against the infringement of Article 5 (principles of processing of personal data) and Article 6 (lawfulness of processing). These rules contain key data governance principles, such as data accuracy and quality, and fairness of processing, when firms collect and process the minimum amount of data necessary for a specific, clearly defined purpose. Firms struggle greatly to meet the requirements around consent and other available legal bases.
- Breaches get the enforcement ball rolling but are just a starting point. Many security and risk (S&R) and privacy pros expected security infringements and missed breach notifications to be the main triggers of GDPR enforcement. DPAs have undertaken about 50 actions for infringement of article 32 (security requirements) and a few more related to failure to report breaches. These cases show that an actual security incident is just the starting point for determining fines. Investigations that followed some of the biggest breaches of the post-GDPR era focused not only on the specific conditions of the breach but also highlighted “poor security arrangements.” Adequate authentication procedures — or the lack thereof — have been DPAs’ focus since the first enforcement action in 2018.
- Compromised data from a single customer can be expensive. DPAs evaluate the impact of a breach, not just its volume. For example, Spain’s data protection regulator fined two telco providers, each of which had an issue with a single customer. One telco erroneously disclosed credentials of a third party to a customer, allowing the customer to gain access to sensitive third-party data. This single event cost the provider €60,000. The DPA fined another telco provider almost €40,000 for processing the data of a single customer without their consent. A hospital in Germany was also fined €105,000 for GDPR violations associated with the misuse of data of a single patient.
- Failure to respect individuals’ rights will lead to the next wave of fines and penalties. Forrester expects the next enforcement wave to come from failing to address individuals’ privacy rights. Most current enforcement actions refer to data access requests and data deletion. For example, a German property company that — among other issues — archived customer data in a way that didn’t allow for data deletion was fined €14.5 million. Enforcement to date has primarily come from customer requests, but enforcement actions from employee requests are also increasing. Bulgaria’s Commission for Personal Data Protection fined an employer for a delayed and incomplete response to an employee’s access request.
- Third-party risk management is the next big thing in the privacy arena. Third-party risk management is nothing new to S&R and privacy pros, but they’re only now starting to see how third parties affect their privacy program. Third parties that don’t follow the same privacy policies you do can destroy not only your privacy program but also your brand, your customers’ trust, and your partner ecosystem. From vendors to subcontractors to data suppliers to the partners you share data with, it’s evident that third-party risk has far-reaching implications for privacy. Current due diligence practices are not going to cut it. Don’t be caught off guard. Instead, look for ways to blend technology, cross-functional knowledge and data, and external insights with your S&R peers to automate third-party management for privacy.
If you want to learn more about the analysis of GDPR enforcement actions so far and how companies are shifting their strategy from GDPR readiness to sustained compliance, read my upcoming Forrester report and schedule an inquiry with me.
Happy Data Privacy Day, everyone!