The General Data Protection Regulation (GDPR) is a comprehensive privacy law that was implemented by the European Union (EU) in 2018. Its purpose is to protect the personal data of EU citizens by establishing strict rules for the collection, processing, and storage of personal information by organisations.
The GDPR applies not only to organisations based in the EU but also to any organisation that processes the personal data of EU citizens, regardless of where the organisation is located. Non-compliance with GDPR can result in significant fines and penalties.
What is the latest on GDPR fines?
According to recent research, supervising authorities across Europe have markedly increased the level of fines issued to companies found in breach of the GDPR. Latest figures show:
- In the year ending March 2022, data protection supervisory authorities across Europe issued fines of around EUR 1.581 billion (GDP 1.403) (+1.319 billion in comparison to the 2021 figures.
- A total number of 1,031 fines (+505 in comparison to 2021) were issued in the year ending March 2022.
- In relation to the number of fines and average sum of fines issued, the most common compliance breach was due to “insufficient legal basis for data processing”. The second and third most reported and fined breaches were caused by “insufficient technical and organisational measures to ensure information security” and “insufficient fulfilment of data subject’s rights”.
These figures show that GDPR enforcement is here to stay and regulators are increasing the number of investigated cases and penalty levels year on year. No business can afford to be complacent when it comes to implementing GDPR policies and procedures.
Find out more in our post Five Ways To Protect Your Company from a GDPR fine
What sectors received the most GDPR fines?
The following sectors received the highest number of GDPR fines:
- Industry and Commerce
It is imperative to note that this does not mean these sectors are necessarily shirking their data protection and privacy compliance obligations, rather it is an indication that these industries are the most exposed in terms of GDPR-related risk. Although the average fines levied in the Transportation and Energy sectors were high, the number of fines issued was relatively low. This signifies that although breaches in this sector are relatively rare, when they occur they are serious and thus attract large penalties.
What are the most common types of GDPR breaches leading to fines?
The top areas of GDPR non-compliance leading to fines were:
- Insufficient legal basis for data processing
- Inadequate technical and organisational measures to ensure information security
- Non-compliance with general data processing principles
- Insufficient fulfilment of data subjects’ rights
- Unsatisfactory fulfilment of information obligations
- Insufficient cooperation with supervisory authority
- Inadequate fulfilment of data breach notification obligations
- Non-appointment of data protection officer
- Insufficient data processing agreement
This shows that many companies are still unsure of what constitutes a lawful basis for processing personal data. The lawful foundations for processing data are set out in Article 6 of the GDPR and at least one of the following must be present whenever personal data is processed:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
If none of the above apply to your reason for processing personal data, the processing is unlawful and therefore a breach of Article 6.
The data is clear – all companies, especially those in high-risk sectors such as advertising, technology, telecommunications, and general communications (for example direct marketing) need to implement consistent, proactive training programmes to ensure all employees understand what is required for GDPR compliance. As supervising authorities become more confident with enforcing data protection and privacy regulations, the scope for fines and reputational damage leading to a loss of consumer trust will continue to increase.