GDPR Fines Data 2020/21
At just over 3.5 years since the implementation of the General Data Protection Regulation, within Europe hundreds of millions of Euros worth of fines have been handed out. As the GDPR becomes more embedded, Supervisory Authorities are demonstrating increasing ease with imposing fines up to the maximum amount if necessary.
Within Europe, there is a trend of slow increases both in the number of fines issued, and in the amount of fines. At first glance, the increase between the total amount of fines issued in 2020 and in 2021 seems huge, going from €170m to just over €1billion. But the rate of increase is – in reality – much smaller. Over 97% of 2021’s fines are represented in only two cases - in Luxembourg against Amazon (€746m) and in Ireland against WhatsApp (€225M). However, even with these unusually large fines removed, the pattern is of Supervising Authorities issuing fines of steadily increasing amounts as time goes on.
Under UK GDPR and the Data Protection Act 2018, the maximum fine is £17.5 million, or 4% of annual turnover, whichever is higher. This higher amount can be imposed where the firm is found to have failed to comply with any of the data protection principles, in relation to transfers of data to third countries, or an individual’s rights under Part 3 of the DPA 2018. For all other cases, there is a maximum fine amount of £8.7m, or 2% of annual turnover.
Within the UK, the Information Commissioner’s Office’s highest fines so far were imposed in 2020; in 2021 three fines of relatively minor amounts were issued, ranging from £11,800 to £585,000. In November 2021, however, the ICO issued a provisional notice that it intended to fine Clearview Inc just over £17 million for gathering facial images without the knowledge of affected individuals from publicly available online sources, including social media. In the ICOs view, Clearview have failed to comply with data protection laws in a number of ways, including failure to ensure fair processing and to inform people what is happening to their data, not having a process in place to stop the data being retained indefinitely, and failing to have a lawful reason for collecting the data.
These early, large, fines show that the ICO is willing to impose fines to the maximum amount where they have found that this is necessary. Although large fines remain few and far between and reserved for serious breaches of data protection, robust GDPR compliance remains critical for firms of all sizes, despite Brexit.
Although the specifics of the UK GDPR could diverge from the current Regulation if the UK Government’s consultation on reforms finds that a reshape of the current approach is in order, compliance with the Regulation and legislation as they stand remains important. Now is the ideal time to review compliance with the requirements – any new rules will still require a responsible use of data, and gap analyses and recent reviews will provide a good starting place for planning to incorporate any new ways of working.
Regular reviews of compliance have the added advantage of signalling to the regulator that sound data protection practices and compliance with the rules is important to the firm, and following the review of the rules, it is likely to be more important than ever to demonstrate that the company meets the principles of fair data processing.
Non-compliance is not an option. The ICO is clearly willing to impose high fines where the findings suggest this is necessary. The stakes are high, especially for medium sized and smaller firms that could see severe financial implications if they fall short of the Regulator’s expectations.
Individuals who have suffered material (financial) and non-material (e.g. distress) damage can apply for compensation from the firm. If the firm does not agree to award compensation, then the individual can take the case to court. Altogether, the financial implications of non-compliance are dire.
Our online data protection courses are able to be completed at the learner’s convenience. We have three courses covering data protection. Our Data Protection and Information Security course delivers the background to applicable legislation and how to avoid security breaches. Our Understanding Data Protection Regulation courses have two options – one for front-line staff, and one for senior staff.