The rhetoric in the run-up to the GDPR (General Data Protection Regulation) taking effect was that any organisation that didn’t have immaculate compliance practices would be in line for a €20 million fine.
Although only the most frantic commentators thought that monumental penalties would be handed out left, right and centre, there has still been the sense that GDPR enforcement hasn’t been as rigorous as one might expect.
There have been mitigating factors behind that. It takes time for supervisory authorities to investigate incidents, and there was an immediate backlog of work as individuals across Europe submitted complaints and queries.
Then, of course, came COVID-19, which has slowed business to a crawl and led to many supervisory authorities, including the UK’s ICO (Information Commissioner’s Office), suggesting that it would show leniency on potential compliance failures given the difficulties that the pandemic has presented.
But amid all this, there has been one outlier: the Spanish Data Protection Authority. It was the most active in terms of GDPR fines throughout 2020, issuing 131 fines in total, and it has only picked up the pace in 2021.
Since March, it has issued more than 30 fines, including one of the largest ever recorded – an €8.15 million penalty against Vodafone Spain.
But although Spain has been the most punitive country, countries across the EU have been increasing the rate at which they have issued fines. In the first quarter of 2021, there were 96 fines issued across Europe, compared to just 68 over the same period in 2020.
The increase suggests that the issues standing in the way of GDPR enforcement are easing and a surge in regulatory action could be coming.
Free PDF download: Data Flow Mapping Under the GDPR
Data flow mapping is a key process in ensuring that you are GDPR compliance. Download our free green paper to understand how it fits in to your organisation and how it can protect you from regulatory fines.
GDPR fines in Q1 2021
In the first quarter of 2021, EU countries received a total of €33.61 million in GDPR fines. As you’d expect, Spain has been responsible for the largest proportion of that – €15.7 million.
Germany ranks second, issuing €10.7 million from three cases, and Italy was third, with fines amounting to €5.6 million from twenty violations.
The most common violation involved Article 5, which states that personal data must be:
- Processed lawfully, fairly and transparently;
- Collected only for specific legitimate purposes;
- Adequate and, where necessary, up to date;
- Stored only as long as necessary; and
- Processed in a way that ensures appropriate security.
The next most common violation involved the failure to document a lawful basis for processing, which is covered in Article 6 of the GDPR.
The other major contributor to GDPR fines was organisations’ failure to meet Article 32, which states that data controllers and processors must “implement appropriate technical and organisational measures” to secure the personal data they process.
To comply with Article 32, organisations must identify and mitigate risks that are presented by data processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”.
GDPR compliance with IT Governance
Those looking for help meeting their data protection requirements should take a look at our GDPR Toolkit.
Designed and developed by GDPR experts, this toolkit contains a complete set of template documents to demonstrate your compliance practices.
It’s ideal for anyone who wants help completing their documentation requirements quickly and easily, but it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.