5 Biggest GDPR Fines — and What to Learn From Them
GDPR (General Data Protection Regulation) fines are punishments intended to incentivize firms to remain complaint with the European Union's data privacy regulations. Prior to GDPR becoming enforceable on May 25, 2018, it wasn't completely clear how fines would be applied for GDPR violations.
Now that about a year and a half has passed, we have some precedent to go along with the legislation. With this perspective, we can look back and examine how regulators are fining organizations that run afoul of GDPR rules.
If you or your organization could use a little more GDPR training, Simona Millham's GDPR Awareness training covers everything learners need to know about GDPR — and how to stay in compliance.
How GDPR Fines Work
If you're interested, GDPR EU.org provides a detailed breakdown of GDPR fines and penalties. GDPR fines are administered by authorities in the EU member states. Authorities use the following 10 criteria to determine how severe a given fine should be.
Nature of infringement. The scope of the violation: how many were affected, how damaging, how long, etc.
Intention. Whether the violation was purposeful or a result of negligence.
Mitigation. The actions taken to reduce damage to data subjects (e.g. the people whose data was affected by the violation).
Preventative measures. What the organization did to prepare and prevent GDPR violations.
History. An organization's track record when it comes to Data Protection Directive and GDPR violations.
Cooperation. How much an organization cooperates in remediation of violations.
Data type. The type of personal data that was impacted.
Notification. Whether the violation was proactively reported or not.
Certification. If the organization followed approved codes of conduct or had qualification under relevant certifications.
Other. Relevant criteria not listed above such as financial impact the firm experienced related to the violation.
With that information, regulators categorize the violation(s) into one of two categories
Lower Level. These infringements can cost up to €10 million (~$11.01 USD) or 2% of the previous year's worldwide revenue. Whichever value is greater is the maximum fine.
Upper Level. These infringements can cost up to €20 million (~$22.02 USD) or 2% of the previous year's worldwide revenue. Whichever value is greater is the maximum fine.
Need to get up to speed on GDPR? Check out Simona Milham's GDPR awareness course!
The 5 Largest GDPR Fines to Date
Now that we understand the basics of how GDPR fines, let's look at the five biggest GDPR fines levied so far.
British Airways £183.4 million ($230 million USD)
According to a July 8, 2019 BBC article, the £183.4 million fine the UK's ICO (Information Commissioners Office) levied against British Airways stemmed from a 2018 data breach.
Hackers were able to get information on roughly 500,000 British Airways customers. The attackers were able to capture this information by redirecting British Airways' website to a fake site. From there, they got their hands on information including:
Credit card information (including card numbers, CVV codes, and expiration dates)
The root cause of the breach was believed to be "poor security arrangements at the company". To their credit, British Airways reportedly was cooperative and was working to improve their security after the breach.
Lessons to be learned:
Website security must be taken seriously. It's easy to get lulled into a false sense of security just because you haven't been hacked yet. IT departments need to prevent attacks every time; hackers just need to get it right once. Keep this in mind when implementing security policies in general.
Cooperation may help reduce fines. While this may seem odd given British Airways tops our list, it could have been worse. While the fine here was a staggering amount, it wasn't the maximum. The fine totaled roughly 1.5% of British Airways' 2017 revenues. Because it was an Upper Level infringement, that's less than half of the maximum 4% possible. It's possible BA's cooperation helped keep the fine lower than it would have otherwise been.
Marriott £99.2 million ($123 million USD)
A day after the BBC reported on the British Airways fine, Tech Crunch reported a $123 million fine against Marriott. This GDPR infringement stems from a data breach that began in 2014 and lasted through 2018.
The initial 2014 breach didn't actually happen on Marriott's watch. Marriott announced the acquisition of Starwood in 2015, and the deal officially closed in 2016. The Starwood reservation database is what was hacked, and the breach remained undiscovered until 2018.
More than five million passport numbers and eight million credit card records were exposed in the breach. Overall, estimates pegged the number of guests exposed at up to 383 million and the number of EU residents affected at about 30 million.
Lessons to be learned:
Look to detect breaches quickly to reduce dwell time. The amount of time a threat remains within a network is known as "dwell time". The longer the dwell time, the more damage can be done. Because no security system is perfect, IT needs to be prepared to detect breaches quickly and reduce dwell time. In this case, if Starwood was able to detect the breach in 2014, Marriott may have never been affected.
Be careful when integrating systems. Think about this from the perspective of Marriott's IT security team. Your company makes an acquisition. You need to integrate a large database to your existing IT infrastructure. It turns out that database was already compromised. For years after the initial breach, you take the blame. While this may not seem fair, being proactive and auditing systems is an important part of securing data within a network.
Google €50 million ($56.8 million USD)
The Verge reported Google's GDPR fine in January of this year. There are two things that make the Google GDPR fine unique. It's the first entry on our list where the fine wasn't from a U.K. regulator (France's regulator levied the fine). Additionally, while the other two multimillion-dollar fines were a result of breaches, Google's infringement was different.
Google was fined for not providing enough information on their data consent policies — and not giving users enough control over the use of their personal information. While a $56.8 million fine is a large amount in general, it's a fraction of Google's $136.22 annual revenue for 2018.
Lesson to be learned:
GDPR isn't just about security. While maintaining data security is important, GDPR is also about individual data privacy rights and transparency. With the Google fine, regulators showed that they are willing to use fines to punish organizations that aren't transparent.
Haga Hospital €460,000 ($506,611 USD)
There's a pretty big drop off between No. 3 and No. 4 on our list. Part of that may be attributed to the size of the organizations involved. Haga Hospital was hit with this fine in July of this year. Security Magazine reported it as the first GDPR data breach fine in the Netherlands.
This case was interesting because it didn't seem to be a traditional data breach carried out by hackers. Regulators launched an investigation after it was found 197 employees accessed a celebrity's medical records. The investigation found that the hospital did not meet all relevant security requirements set by GDPR. In addition to the roughly half million-dollar fine, Haga Hospital could have faced an additional $336,000 in fines if security was not improved.
Lessons to be learned:
Access control and end-user training are important. It seems unlikely that 197 employees needed access to a celebrity's medical records. From an IT security perspective, tighter access controls could have gone a long way to prevent issues here. Additionally, training employees to respect personal data and data privacy laws may have helped in two ways. First, maybe fewer employees would have accessed the data. More importantly, maybe someone would have spoken up about lax security policies that enabled that level of access.
Fines can increase if security doesn't improve. In this case, regulators gave an ultimatum of sorts. The message was simple. Improve your security ASAP, or face more fines.
(Tie) Sergic and Centro Hospitalar Barreiro Montijo €400,000 ($440,532 USD)
We have a tie to round out our Top 5 Largest GDPR Fines list. However, technically the Centro Hospitalar Barreiro Montijo hospital in Portugal may not be a true GDPR fine. We say this because:
The supervisory agency that levied the fine, the CNPD (Comissão Nacional de Protecção de Dados) was NOT yet formally appointed as a supervisory authority for GDPR (Source: iapp.org)
Inside Privacy reported Portugal had not yet "implemented" GDPR at the time of the fine.
The counterarguments to the above are: CNPD had the authority to implement fines within Portugal regardless and the CNPD relied on GDPR principles. With that technicality out of the way, here's the breakdown on the two fines:
Sergic: According to Alpin, this French real estate company was fined in June of 2019 for allowing easy access to individuals' information. Their website reportedly allowed access to information including ID cards and tax notices simply by changing the URL.
Centro Hospitalar Barreiro Montijo: While this hospital is unnamed on the Alpin list, the iaap.org information suggests Centro Hospitalar Barreiro Montijo is the "Hospital near Lisbon". They were fined for staff using false accounts to access patient data.
Lesson to be learned:
Err on the side of respecting data privacy. In the case of Centro Hospitalar Barreiro Montijo, there was an argument GDPR was not applicable. While that may be true in some cases, respecting data privacy is the ethical thing to do. Even if you're not subject to GDPR, you should treat individual personal information with respect. In some cases, it may even end up saving you from fines.
Data privacy is a hot topic, and GDPR has a wide reach, even outside of the EU. It's unfortunate that data breaches and violations of data privacy occur. However, by learning from these cases, organizations and their IT teams can be proactive and avoid running afoul of the GDPR.