GDPR – 8 years on
Compliance & regulation are a big part of what we do for clients here at Wirebox. From ISO to PCI and everything in between, we support brands in meeting their obligations and best practices. So, back on the 24th of May, 2016, GDPR came into force with full regulations applied from the 25th of May, 2018. It brought with it a whole raft of changes to how businesses handle their data. And, even with Brexit, the UK version of GDPR remains much the same. (But UK GDPR and the original EU one are nearly identical, so we’ll keep using GDPR for shorthand.) So, in honour of its 8th anniversary, we’re looking at the fines that have been handed down, what businesses are still struggling with and common pitfalls so you can finally reach 100% compliance.
Big GDPR fines
As of 2023, the biggest fine ever handed down was €1.2b euros to Meta (Facebook’s parent company) for “transferring personal data of European users to the United States without adequate data protection mechanisms and serves as a significant milestone in data protection regulation.” After that, Amazon got hit with €746m euros for infringements around their advertising targeting system. And Meta again twice for processing the personal data of children (€405m) and forcing consent on Instagram and Facebook (€390m). Next is TikTok for €345m and improper handling of children’s accounts. Then Meta again, this time with a data hacking issue in Ireland (€265m) and for WhatsApp after a 3-year investigation into violations (€225m). Rounding out this list is Google which didn’t allow French users to decline cookies just as easily as accepting them. That cost them €90m.
Common GDPR violations
Just looking at the list above, you’re seeing some trends around improper data transfer overseas, poor handling of children’s accounts, consent parity and the like. Shard Secure explains that, while not all rulings are public, the common issues are around:
- General data processing non-compliance
- Not fulfilling the rights of data subjects
- Limited legal basis for processing the data
- Poor cooperation with authorities
- Bad data hygiene
Now, when you see just big names on this list, you’re probably wondering “don’t they have teams of people to keep them GDPR compliant?” And while the short answer is yes, the larger a company is and the more territory it covers, the more complex its IT and data processing infrastructure is. Companies of all sizes struggle to achieve compliance with Forrester reporting that even as of 2021, “only 41% of US [organisations] said that they are compliant with international data transfer requirements. Surprisingly, as little as 31% of German [organisations] say the same, with 47% reporting that they are partially compliant. Almost half of the companies in Italy and France and 39% in the UK say that they are compliant with these requirements.” So it can be challenging, no matter your size.
How to ensure GDPR compliance
To ensure GDPR compliance, you need to focus on these 4 things:
- Know where your data is going in the world and what rules apply
- Keep a firm hand on any 3rd parties and your IT infrastructure
- Ensure your processes act in the consumer’s best interest
- Have a good risk management strategy and crisis management process
If you already feel overwhelmed by GDPR and want a hand, we’re here for you. Just having a good map of all your data flows and the risk landscape can provide a lot of clarity and risk mitigation.