Record Fines Imposed By The GDPR In October 2020

The month of October 2020 saw the European Data Protection Authorities impose some of the largest fines under the General Data Protection Regulation (GDPR).
 

H&M – €35 million ($41.3 million) Fine

A German subsidiary of the Swedish retail conglomerate H&M was fined for the illegal surveillance of hundreds of its employees. The company had collected sensitive personal data through the use of staff surveys and informal chats. The personal data collected included information about employees’ religious beliefs, medical records, including diagnoses and symptoms of illnesses, as well as private details about vacations and family affairs. The company used this sensitive personal data to create profiles of its employees.

Since at least 2014, the company had collected, recorded, and stored a vast amount of information about hundreds of its employees’ personal lives. Under the GDPR, processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited absent certain exceptions. The data at issue was collected and processed without employees’ consent and was used to evaluate employees’ performance and to develop their detailed profile for measurement purposes and decisions regarding employment.
 

British Airways – £20 million ($25.8 million) Fine

The UK’s Data Protection Authority (ICO) imposed a fine against British Airways in connect with a 2018 data breach in a final sum of £2 0million. The ICO’s investigation found that the airline was processing a significant amount of personal data without the proper level of security measures in place, leading to a cyber-attack in July 2018. The cyber-attack was only discovered two months later but by that time hackers had already stolen the personal data of more than 400,000 customers. This is the largest fine issued by the ICO to date.
 

Marriott International – £18.4 million ($24 million) Fine

On October 30, 2020, the ICO issued a £18.4 million fine against Marriott International Inc.  The fine stems from the November 2018 disclosure that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014.  Marriott acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later.
 

Lessons from the GDPR Fines:

Privacy regulators throughout the European Union are setting a precedence of regulatory enforcement and sending a strong message that companies must respect personal privacy, protect personal data, and uphold their obligations under the applicable privacy laws. Companies that ignore their privacy and data protection obligations are bound to pay the price in the form of regulatory fines, consumer litigation, and diminished reputation with their customers.  What can companies do today to avoid these risks?

• Perform automated data mapping and a regular data inventory of sensitive personal data and related categories of information collected on employees and customers across multiple brands and affiliates. Avoid fines by increasing awareness of your data collection practices.
• Manage your vendors to know what data they process and to monitor the points of access that vendors have into your company’s information assets.
• Implement consent management process where required by the applicable regulations.
• Implement and monitor privacy and security controls to protect personal information from unauthorized access, use, and disclosure.
• Perform due diligence in evaluating privacy requirements and cybersecurity controls during the merger and acquisition process.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.