European Data Protection Authorities Are Rapidly Increasing GDPR Enforcement Activities

According to a recent analysis by Forrester, the European Union’s Data Protection Authorities (DPAs) are increasing their enforcement activities under the General Data Protection Regulation (GDPR).

DPAs have levied 190 fines and penalties since the GDPR took effect in May of 2018.   Spain is the most active regulator with 43 enforcement decisions, followed by Romania (21) and Germany (18).  The UK has imposed the highest total amount of fines (over $347 million) assuming the large fines on British Airways and Marriott are upheld.

Failure of data governance triggers the most fines and penalties.   DPAs have focused their enforcement actions on the violations of the GDPR Article 5 and Article 6.  Article 5 sets out key principle of data processing: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability.   Article 6, in turn, requires that companies process personal data only based on the valid grounds under the GDPR for collecting and using personal data.

Data breaches are only a starting point for determining fines.  Investigations that followed security breaches highlighted not only specific circumstances of the breach but also inadequate security arrangements, particularly inadequate authentication procedures.

DPAs evaluate the impact of the breach, not just the volume of the affected records.  Compromised data of even one customer can lead to significant fines.  For example, a German hospital was fined over $115,000 for the misuse of a single patient’s data.

Failure to respect individual privacy rights and third-party risk mismanagement will lead to future fines and penalties.  According to the Forrester analysis, most current enforcement actions refer to the customers’ requests to access and delete data but enforcement actions for employee requests are also increasing.  In addition, proactive third-party risk management remains as important as ever for companies handling personal data, as third-party risk has far-reaching implications for privacy.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653