Q3 fines 20 times higher than the combined total of Q1 and Q2 and triple the fines handed out in 2020
According to the latest data compiled by Finbold, there has been a stark increase in the number and severity of penalties being handed out by European data commissions. The huge figure should serve as a warning to companies who fail to adhere to GDPR.
Total fines for Q3 2021 amounted to over $1.1bn. This is a huge amount and is twenty times higher than the combined total of Q1 and Q2 in 2021, and triple the amount handed out in 2020.
Although some of the penalties relate to lengthy cases, the increase in the level of fines issued highlight a few things that all companies trading across Europe need to be aware of, as AJ Thompson, CCO at Northdoor plcexplains.
“All businesses have to be aware of any regulation that is issuing over $1bn worth of fines in one quarter. There have been some high-profile cases over the last couple of months and a majority of these do not relate to a specific data breach, but rather to the poor internal data processes within companies.
“Too many companies rushed to adhere to GDPR during the fanfare of its launch in 2018, but have done very little since. During the first couple of years most of the fines related to huge data breaches during which cyber criminals gained access to sensitive data. However, as data commissions across Europe began to look deeper into the data management, recent investigations have tended to focus on internal procedures.
“This means that those who think they are safe from investigation because they have not been breached by criminal activity are living in false hope. The need to ensure that all of data processes are adhering to GDPR is now critical.
“For example, the WhatsApp fine of €225m issued by the Irish Data Protection Commission in September 2021, related to a lack of transparency about how it handled customer information. Although most companies will not be hit by a multimillion pound fine, penalties of several thousand are being issued regularly. The key takeaway has to be that all companies need to ensure that they are constantly compliant.
“Another good example is the recent claim by a German data protection commission that the use of Zoom breached GDPR rules. With so many companies now utilising the video conferencing tool, if confirmed, it would mean hundreds if not thousands of companies would no longer be adhering to the regulation.
“Therefore, companies cannot treat GDPR as a tick box exercise, sitting back after adherence is confirmed. Instead, there needs to be constant vigilance about the changing landscape. Too often this task is either ignored or given to one individual to manage and is therefore at risk of becoming a victim of human error.
“To take the emphasis off individuals companies need to be looking at industrialising their internal GDPR processes. This ensures that current processes are in-line with the regulation and can also make sure that any changes to the rules are immediately recognised and changes implemented.
“It is very clear that data protection commissions across Europe are taking GDPR very seriously and that they are not only investigating companies that have suffered criminal data breaches. Every company needs to relook at their adherence to the regulation, implement solutions that help manage this process and keep employees up-to-date with the latest changes. Without industrialising this process, companies are putting themselves at real risk of suffering potentially damaging fines, impacting not just finances but reputation and potential loss of business.” Thompson concluded.