It's one thing to have rules, and another to have consequences for breaking them. When the GDPR took effect, not everyone was convinced it would have any real effect unless breaches led to punishments.
It's now clear that regulators really will impose substantial fines on businesses that don't follow the rules.
The Basics of the GDPR
The General Data Protection Regulation (GDPR) has been in legal force for more than two years now, but in case you need a quick reminder, these are the key points.
The GDPR restricts the way you can process personal data in the European Union.
- Process has a broad definition that includes collecting, using, sharing and selling data
- Personal data means information that relates to an identified or identifiable human being
The GDPR applies if:
- The organization processing the data (the data controller) has a presence in a European Union country,
- The person the data is about (the data subject) lives in a European Union country, or
- The processing itself takes place in a European Union country (for example, in a data center in the EU)
The GDPR's measures will also apply in the United Kingdom through domestic law unless and until that domestic law changes.
When the GDPR applies, it's only lawful to process data if one of a list of "legal bases" applies. These include but aren't limited to legal obligations, contracts, to protect someone's life, and some official public activity.
For businesses, the two most relevant lawful bases are:
- The data subject has given meaningful consent to you processing data for a specific purpose
- The processing is needed for your legitimate interests and these aren't outweighed by the data subject's data privacy rights
As well as covering lawful and unlawful processing, the GDPR also says you must:
- Only process the minimum amount of data needed for the stated purpose and only keep it for as long as necessary
- Make sure the data is accurate and correct it if necessary
- Keep the data secure
- Make sure data subjects know what data you have and how to exercise their rights
Penalties for Breaching the GDPR
National data protection authorities known as "supervisory authorities" have the power to enforce the GDPR and punish data controllers that breach it. These powers include the supervisory authority having the right to:
- Issue an official warning
- Temporarily or permanently stop the data controller from processing personal data
- Order the data controller to stop sending data to a non-EU country
The supervisory authorities can also issue financial penalties known as administrative fines. (In Denmark and Estonia the supervisory authorities must instead recommend that a national court issue the penalty.)
The amount of the fine is not simply designed to rectify the breach and any resulting damage. Instead, supervisory authorities can set a fine designed to deter future breaches, though it cannot be disproportionate to the specific circumstances of the breach.
The factors a supervisory authority must take into account include the following:
- How many data subjects were affected
- Whether the infringement was deliberate or cause by negligence
- What the data controller did to mitigate the effects
- Whether the data controller has previously breached the GDPR
- Whether the data controller reported the breach to the supervisory authority
- Whether the data controller complied with a relevant code of conduct
The GDPR sets out two maximum limits on fines, though these are at significantly high levels.
Some breaches come under the lower maximum limit. These generally involve breaching more administrative parts of the GDPR rather than the fundamental principles. With these cases the maximum allowable fine is whichever is greater: either €10 million or two percent of the business's worldwide revenue in the previous financial year.
More serious breaches have a maximum allowable fine of whichever is greater: either €20 million or four percent of the business's worldwide revenue in the previous financial year.
Although data controllers that receive an administrative fine have the right to appeal, successful appeals have been extremely rare to date.
Examples of Significant GDPR Fines
The following notable cases show that the threat of GDPR fines is very real. In most cases, the data controllers could easily have avoided the breach and financial penalty with better data practices. We'll also shown examples of organizations that do this correctly.
Arp-Hansen Hotel Group
This business was fined 1.1 million Danish crowns (€148,000) for keeping data longer than necessary. This included a database of customer details and records from a booking system.
The GDPR says businesses can only keep data for as long as necessary for the stated purpose, such as holding a reservation on a room. Once this is no longer necessary (for example, because the hotel stay has finished), the data must be deleted.
The Right Way:
This example from The Guardian explains its data retention policy:
A clause like this is crucial to GDPR compliance. While you don't need to say exactly how long you retain data, you need to make it clear that you only retain it for as long as you need it for.
Let users know that you will delete or anonymize data after this period, depending on your practices.
Google was fined 75 million Swedish Kroner (€7 million) for breaching the GDPR's requirements to deal with data subjects requesting their data be deleted if inaccurate or irrelevant. In particular, it took too long to handle one request, and handled another in a way that undermined the point of deleting the data.
The Right Way:
Belbin clearly explains the circumstances in which somebody can request data deletion:
Make sure your users:
- Know about the right to erasure
- Know how to exert this right
Also make sure that you honor erasure requests appropriately.
This retailer was fined €35.3 million for storing and processing employee data without consent.
Some of this data was gathered through informal discussions with employees who were unaware it would be stored or used to make decisions about their employment.
The breach was particularly serious as it involved sensitive personal data, which must be protected with higher security levels than ordinary personal data. Ironically it was a failure to maintain this higher security that revealed the company was collecting and processing the data.
Some of this data could have been collected and processed had the company gathered explicit informed consent from the employee concerned, while other data should never have been processed. Either way, it's a reminder that the GDPR covers personal data about any individual, not just customers.
The Right Way:
The Ministry of Justice has a separate Privacy Notice for employees:
While you don't need to have a separate policy like this, you do need to make sure that your employee data is handled in a compliant way.
Royal Dutch Lawn Tennis Association (KNLTB)
The KNLTB was fined €525,000 for selling personal data about its members to two sponsors. The organization had relied on the legitimate interest basis in doing do, an argument which was rejected by the supervisory authority.
The sale of the data would have been lawful had the organization obtained consent from the data subjects.
The Right Way:
Dennis Publishing gives an example of when it could sell data:
Make it clear to your users if you sell or share their personal data. If you do so, explain at least broadly with whom the data may end up with.
Vodafone Espana faced several GDPR fines in 2020. The biggest was for €120,000 for two violations.
The company processed a person's data to provide a phone line and passed on the data two credit reporting agencies. While both of these actions might seem reasonable, the company could not prove it had consent.
The Right Way:
This sign-up form from Scientific American requests consent for multiple different things:
Make sure you make it clear how you will use someone's personal information, and get as clear of consent as you can.
This telecoms company was fined €16.7 million for a series of GDPR breaches, mainly centered on using personal data to send unsolicited marketing communications.
Among the specific breaches, the company failed to give clear and complete information about how to contact it to withdraw consent after previously giving it.
The company's apps were also inadequate as they required consent to processing before the user could access the app, and would not allow the user to withdraw the consent until 24 hours had passed. This breached the requirement for consent to be meaningful and freely given, and for the data subject to be able to withdraw consent at any time.
The Right Way:
This example from EASA details both the right to withdraw consent and how to do so:
Steps to Take Now
Nothing will reliably protect you against the risk of an administrative fine under the GDPR if you intentionally or recklessly breach the rules, for example by collecting, using or selling data while knowing you don't have a lawful reason to do so.
However, in many cases you can reduce or remove the risk of a fine by making sure data subjects are aware of how you intend to process their data, and that they have the ability to withhold consent or tell you to stop the processing.
- The data subject's rights under the GDPR including to withdraw consent at any time and to complain to a supervisory authority
- Your identity and contact details and those of your Data Protection Officer
- What personal data you want to process
- The specific purpose for which you will process the data
- The lawful basis that covers the processing, including details of your legitimate interests if relevant
- Who you will disclose the data to
- Whether you will transfer the data outside of the EU and, if so, how you will safeguard it
- How long you will keep the data (or how you will decide)
- Whether the data subject is legally or contractually required to provide the data and what happens if they don't
- Whether you use any automated decision-making based on the data
Remember that the GDPR says consent must be meaningful. The data subject must give consent freely and actively. To make sure this happens you should do the following:
- Require an assertive, intentional action from the data subject to give consent such as checking a box, clicking a button or switching a toggle. Never work on the basis of presuming consent unless the data subject says otherwise.
- Don't use pre-ticked checkboxes or toggles set to "on" by default. Supervisory authorities have ruled this creates too much risk of a user "giving consent" by mistake.
- Don't treat scrolling through a message as a signal of consent. This doesn't give a clear enough signal and there's no easy way to withdraw the consent.
Let's recap what you need to know about avoiding fines under the GDPR:
- The GDPR applies if you process personal data about somebody and either you, they or the processing is in a European Union country.
- Under the GDPR, you can only process personal data if a specific lawful basis applies. For businesses this is usually consent or legitimate interests.
- Breaching the GDPR can lead to fines from a supervisory authority. These can be as high as €20 million or four percent of your annual global turnover, whichever is bigger.
- Supervisory authorities have issued many substantial fines, few of which have been successfully appealed.
Breaches that have led to fines include:
- Keeping data longer than necessary
- Failing to properly handle requests to delete data
- Storing data about employees without consent
- Selling data without consent
- Processing data without consent
- Making it too difficult to withdraw consent
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button: