The GDPR has been in force for almost two years, and EU supervisory authorities have not lost any momentum in bringing enforcement actions for violations of the law.
A survey of the last three months alone shows a wide range of enforcement activity. In particular, regulators have issued fines to large companies like major banks and Google, but also to mid-sized organizations, including government and professional agencies, schools, telecommunication companies, and restaurants. Even more surprising, some enforcement actions have been directed at private individuals.
While some fines were as low as €1,000, the vast majority of fines ranged from €10,000-€90,000. However, the highest fines have reached over a million euros, with one particularly jaw-dropping fine of €27,800,000.
Enforcement actions have targeted a wide range of GDPR violations, including failure to cooperate with supervisory authorities, insufficient responses to data subject rights requests, failure to post a privacy or cookie policy, non-compliance with data processing principles, and insufficient technical and organizational measures to ensure data security. The most prevalent concern for regulators has been cases where the data controller failed to identify a proper legal basis for processing personal data (under Article 6 GDPR).
Finally, Spain has issued by far the highest number of enforcement actions in the past three months; however, regulators in Italy, Romania, the UK, Greece, Cyprus, Denmark, Iceland, Belgium, Sweden, the Netherlands, Hungary, and Poland have also been especially active.
Based on the frequency of enforcement actions – and the fines associated with them – no company should consider itself “safe” from GDPR enforcement, even for violations that may seem minor. Protect your organization by seeking professional support from a firm like VeraSafe. Contact us today to learn how we can help.