Learning Lessons as GDPR Ramps Up
With GDPR fines finally living up to the hype, what lessons can we learn from some of the biggest fines issued to date?
If you’re still in doubt that GDPR is finally making its presence felt, just turn your attention to the results from Q3. $1.1 bn in fines have been issued, more than the first two quarters combined. So what lessons can be learned?
Among the highlights from the past three months have been a record €746 million fine for Amazon, and a a €225 million fine for WhatsApp. GDPR fines are rising steeply – both in number and individual scale – but what lessons, if any, can firms take?
In one respect, these fines simply show how lengthy these investigations can be. As big cases come to a conclusion, fines are now starting to come through on a scale that people had been expecting. In other words – rather than reflecting a change of approach from the regulators, this was all to be expected.
However, this data does give us some food for thought.
Lesson 1: fines vary
Some territories across the continent are being more enthusiastic about fining offenders than others. Luxembourg led the way with the highest cumulative fines of €746 million (over $867 million) from 11 cases, followed by Ireland at €225 million tally (almost $262 million). Italy ranked third, with €86 million (around $100 million) from 92 cases. Spain had the greatest number of cases in the first nine months of 2021, racking up 296 incidents.
Lesson 2: fines aren’t all they appear
Major fines tend to make the headlines, but many have been reduced after negotiation with the companies involved. In August, the ICO’S first GDPR fine was reduced from £275,000 to £92,000 on appeal. The court ruled that the initial fine had been disproportionate because the regulator over-estimated how many people had been impacted by the data breach.
Lesson 3: transparency is important
Fines levied on Amazon and Google show how seriously regulators take a lack of transparency. Not much has been disclosed about why Amazon was fined, but it is thought to involve inappropriate use of cookies. Google, meanwhile, failed to tell customers how their data would be used.
Lesson 4: don’t overstep the mark
H&M was fined €35million for inappropriately gathering data about their employees. After employees took sick leave or a holiday the company required them to attend a ‘return to work’ meeting. Many of these meetings were recorded and made available to managers, who were able to glean details about their private life including religious beliefs and family issues. This helped them compile detailed profiles which they used in making decisions about employment. Here the company appears to have breached the principal of data minimisation – that they should not process data, especially any which is personal in nature, unless absolutely necessary. They should certainly not have used it to make decisions about employment.
Lesson 5: aggressive marketing is still happening, and punished
Marketing strategies which overstep the boundaries were one of the main targets of GDPR. Telecom Italia (TIM) ran afoul of the regulations for a series of violations involving aggressive marketing tactics. Millions of individuals were targeted with unsolicited emails – many of whom were on the non-contact list.
What companies can do
Many headlines focus on the scale of the fines. These show that the regulators are serious and intend to exercise their regulatory muscles. However, by looking at the reasons for these fines, businesses can get a good idea of what these firms did wrong and how they can avoid making the same mistakes.
The one common denominator in all these is control over data. Businesses need to have strict controls in place to ensure data isn’t mismanaged, that security measures are in place and individuals are not contacted unless strictly necessary.