Owing to their public nature and the impact they can have on those affected, data breaches are often what springs to mind on first mention of fines issued by a Data Protection Authority (DPA).
However, since the introduction of the GDPR, fines are being issued not only for infringements identified in the aftermath of a data breach, but for a wide range of processing activities running contrary to provisions of the GDPR. This includes the reliance on an inappropriate legal basis, failure to appoint a DPO when obligated to do so, and lack of transparency regarding data processing activities.
Aside from fines issued by DPAs, there are also separate and more immediate costs for organisations to bear as a result of infringements. These costs can be measured in tangible terms such as the expense incurred through the hiring of outside specialists in response to an infringement, or in intangible terms such as damage to the reputation and trust of an organisation.
This article outlines the enforcement activity across the EU in response to GDPR infringements, the potential costs facing organisations for infringements, and practical advice that can be followed to identify and rectify non-compliance.
Fines for infringements
One objective of the GDPR was to address the fragmented system of EU data protection rules and create a more standardised approach to the regulation of data processing activities. This advance to uniformity incorporates DPA investigative powers and the enforcement measures which can be taken by DPAs in response to infringements.
DPAs have approached enforcement in different ways. This is most evident in the number of, and size of, fines issued. Given the continuing efforts to standardise how the GDPR is enforced, it is prudent to be aware of enforcement actions taken across the EU, as it may be indicative of the direction of enforcement to come.
Data presented by CMS’s enforcement tracker provides a clear picture of enforcement activities across the EU. On the number of fines issued, Spain leads the table by a significant margin. It has issued 313 fines, followed by Italy with 97 and Romania with 66. Ireland has issued the second highest fine; €225m to WhatsApp. That is dwarfed only by the Luxembourg DPA fine of €746m issued to Amazon. Both fines are expected to be contested by the organisations.
According to enforcement tracker, the most common category of infringement fines across the EU is non-compliance with general data processing principles. An example of a fine in this category is one issued by the issued by the Spanish DPA, the AEPD, against a laboratory that installed CCTV in a manner that interfered with the privacy of third parties, in violation of the data minimisation principle under Article 5(1)(c) of the GDPR.
The next most common categories of infringement were fines related to the infringement of transparency provisions of the GDPR such as that issued to WhatsApp by the Irish DPA, and invalid legal basis for data processing such as the fine issued by the Greek DPA to PWC for the inappropriate use of consent for employee processing activities.
Other costs to consider
Insight into the costs an organisation could incur from infringements can be gleaned from research into the reported costs resulting from data breaches. In the Ponemon Institute’s Cost of a Data Breach Report 2021, costs are calculated into four centres which equally may form part of the expenditure in response to an infringement:
- Detection and escalation: incorporating forensic and investigative activities, assessment and audit services, crisis management, and communication to executives and boards.
- Notification: incorporating activities to notify DPAs, data subjects and other third parties, where required.
- Lost business: incorporating business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, reputation losses, and diminished goodwill.
- Post breach response: incorporating costs such as help desk, inbound communications, and legal expenditures.
While personal data breaches often cause the most devastating and long-lasting impact to organisations and the individuals affected, infringements outside of these incidences can cause significant disruption to operations, incur substantial costs, and deliver extensive damage to a reputation that has taken time to build.
There are a number of activities that can be undertaken to foster a system that works to identify and rectify non-compliance with data protection regulations. They include:
- Regularly undertaking compliance checks and monitoring areas that are in the process of being addressed.
- Ensuring the GDPR principles are applied to all processing activities, while relying on an appropriate legal basis to process.
- Providing adequate transparency to individuals on how their personal data is processed.
- Identifying where additional support is required to address areas of non-compliance.
Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking compliance audits, incident response and privacy programme development. We offer a range of data governance services, including compliance support. Please feel free to contact our advisors, who would be more than happy to help.