Top 5 GDPR Fines So Far – 2021

The GDPR or General Data Protection Regulation began in May 2018. It aimed to help protect people’s data as technology in the field was advancing. They began by issuing relatively small fines and worked their way up to £20 million, now skyrocketing to hundreds of millions. 


If businesses today don’t remain compliant with the GDPR and the EU’s Data Protection Authorities regulations, they could pay serious fees that could end their business. The most significant fine being recently received by global conglomerate Amazon.


What is a GDPR Fine?


A GDPR fine is issued out to businesses that don’t follow the rules towards data protection. Those who collect data without telling customers, or don’t have sufficient cybersecurity measures, will potentially get fined astronomical amounts.


Any data breach of personal information (from customers, employees, and suppliers) is what the GDPR is trying to crack down on. How it usually works is the GDPR will take a percentage of the organisations global turnover for an infraction.


As it stands, the largest fine to date was around £636 million, nearly a billion euros! As data protection becomes increasingly important with the rise of hackers, the fines become bigger.



What Have Been The 5 Biggest Fines?


The best way to learn how to avoid GDPR fines is to look at the mistakes of those that came before us. So here is a list, in no particular order, of the top five biggest GDPR fines to date.


  1. Google £43.2 Million – Google’s mistake was to make it unclear to users how their data would be used. It is a breach that takes away a user’s right to choose how their data is used and the right to accept or decline. In addition, users need to be aware of if you use target ads with their data, for example. Consider whether you’ve got clear statements and notifications about your data policy. For example, does your website have a consent form to seek valid permission from the user? If not, it could lead to a similar fine as Google’s.


  1. H&M £32.1 Million – H&M was secretly keeping a very close eye on employees. Much like Google, when you are collecting data in secret without permission, it won’t be compliant with GDPR. H&M was secretly recording their staff, and it was shared amongst managers. Asking your staff and detailing why the information needs to be collected and shared is the best way to avoid this kind of fine. If your staff are unaware and unable to accept or refuse the terms, then it’s a violation of their rights. 


  1. British Airways £20 Million – The airline was fined because their customer data was leaked as they were directed to a fraudulent website. Hackers got a hold of the booking details, addresses, names, credit card numbers and other personal data of around 400,000 people. Avoiding implementing cybersecurity measures and failing to have a disaster recovery plan in place could cost your business both customer trust and a GDPR fine.


  1. TIM (Telecom Provider) £22.9 Million – TIM is an example of how to be too aggressive with your marketing strategy. They rang up millions of people for some unsolicited promotional communications. This was particularly intrusive as many of the people they rang up didn’t agree to it.


  1. Amazon £636 Million – Last but certainly not least, the GDPR hit Amazon with a £636 million fine for breaching the regulations in Europe. Although it’s unclear yet what was the cause of this momentous fine. Amazon stating that it was “without merit”, regardless it’s safe to say that this is a warning sign to all other companies.   


Which Countries Have GDPR Fines


The GDPR compliance is predominantly based in the EU. But it also operates within Norway, Iceland, the UK, and Liechtenstein. The issue is the GDPR was made to protect EU citizens. Therefore, anyone in violation of those citizens can receive a fine.


This means that any company that wishes to trade with the countries mentioned above and the EU will need to be GDPR-compliant to avoid hefty fines.



How To Stay GDPR Compliant


If your company employs 250 or more people, handles sensitive data on a large scale, it might be wise to appoint a data protection officer. This is because there are a lot of responsibilities involved in data protection compliance, and having someone with specialised knowledge can support your organisation through it.


If you are a smaller business, you will need to go over what procedures and policies you need to put in place to remain compliant. For example, you may need to update your privacy notice to include your legal basis for processing the data and your data retention times.


About EC-MSP, your IT support partner

EC-MSP are one of the most trusted IT support providers in London. If you would like more help advice and support with technology for your business, contact us today to see how we can help.