GDPR is little more than a year old, and we are beginning to see some major fines. The largest fines yet were levied at British Airways ($230 million) and Marriott ($123 million). CNBC pointed out, these fines could have been larger, as they only represented a little more than one percent of the companies’ revenues, rather than the 4 percent maximum fine allowed by the regulation. And this is just the tip of the iceberg, as the Big Tech giants of Google, Facebook and Apple are still under investigation.
These fines grab headlines because they are so costly, involve well-known corporations, and are due to significant data breaches. The reality is GDPR has impacted many more companies and in many different ways than these few. With California’s CCPA and Nevada’s privacy laws on the horizon, it’s worth reflecting on the last year of GDPR enforcement: What aspects of the regulations were most frequently violated, where are the biggest pain points for organizations, and what can we learn from GDPR challenges as CCPA’s implementation looms closer.
Why All the Fines?
There was a lot of expectation (or at least a lot of hope) that GDPR would result in organizations being more conscientious of their behaviors when dealing with consumer data. Or at least employees would have better training and be more aware of how their actions could result in a violation or misuse of consumer data.
That hasn’t happened. Instead, we’re seeing companies getting fined for GDPR violations for several reasons. Breaches are a major area that lead to fines as a result of a third-party security failure. “Every single company that uses third parties to process customer data on their behalf is vulnerable to the same kind of security breach,” Jessica Davies wrote in Digiday. In addition to large security vulnerabilities, companies that work with third parties to process consumer data have repeatedly had trouble managing where a specific consumers data is, especially in the case of responding to a consumer exercising his or her right to access or delete data.
Many breaches and data privacy violations are caused by unintentional mistakes or lack of awareness. For example, a private citizen in Austria was fined €4,800 because their CCTV system took footage of too big an area of public space. Filming with CCTV cameras has been a repeat issue and while the fines are smaller, they are still show a significant lack of awareness of what constitutes a GDPR violation and who can be fined. Employees or companies lacking awareness of where privacy laws impact them will continue to be an issue. Companies with a Data Protection Officer or internal teams trained to deal with new regulations will be best prepared to handle future data privacy regulation.
Frequently Violated Articles
GDPR’s regulations are drawn out in 99 articles, but most data breaches so far tend to violate six articles. Article 12, transparency and rights of the data subject, also stood out as a major pain point for companies in terms of fines and amount of required for compliance.
Article 5, which defines what personal data is and outlines the principles on processing data, and Article 32, which covers the security of processing data, are the two articles most commonly violated. Article 33, notification of a data breach to a supervisory authority, is the article associated with the largest fine.
Other less frequently violated – but enough to stand out – are articles 6 (lawfulness of processing) and 13 (where personal data is collected). Most of these violations are against one or more subsections of a specific article, and some were violations of multiple articles.
Why is Article 5’s stipulations so difficult to meet? It could be because privacy experts have struggled for years to properly define data for years. GDPR did not wave a magic wand and bring instant changes to our understanding of how to securely address data. Businesses are still overwhelmed with instituting GDPR and still learning on where all the lines are drawn. Meeting regulations is an ongoing process.
The Biggest Pain Points
The website, GDPR Enforcement Tracker, keeps a running tally of the violations and fines (it is not a complete listing, but it is fairly detailed and regularly updated). One other thing this website does is provide a detailed look at the reason behind the violation, and reading through them, you begin to find some common threads. The pain points to meet GDPR compliance are very similar.
One issue that comes up a lot is data privacy involving consumer transparency and tracking. For example, the Polisch National Personal Data Protection Office (UODO) received complaints that a sports association was unable to provide necessary personal data to it’s users for an access request, while in Bulgaria, a bank was fined for contacting clients who had previously exercised their right to be forgotten.
But the biggest issues stem from the same problems that plague cybersecurity efforts in general: insider threats and improper handling and storage of data.
Lack of employee privacy awareness training often comes back to bite employers when the employee unwittingly mishandles or misuses data. Employees servicing customers also often do not have knowledge as to where the customers data is stored or whether they will be able to exercise their right to be forgotten. If employees aren’t properly trained in what constitutes a violation against GDPR and other privacy laws, they are going to break them. Looking at the medical records of a celebrity may sate one’s curiosity, but in one facility, it brought about GDPR fines after 197 employees did just that. Meanwhile, a political campaign in Belgium was hit with a fine because personal information was misused. Education on how data can and cannot be used and the penalties has never been more vital, and without it, expect this to continue to be a major pain point in GDPR compliance.
CCPA, Nevada, and Beyond
As CCPA becomes the newest standard companies must meet, expect to see many of the same challenges that companies and individuals face in meeting GDPR compliance. While the two laws aren’t the same, they face a similar challenge: understanding data, how it is used, how it is stored, and who owns it. Without solid definitions and better awareness, we can only expect more of the same.