Some of the most severe and notable actions that took place in 2018 include:

  • Numerous consumer groups across the EU called for action under GDPR and filed complaints with data protection authorities against a major technology corporation. The complaints alleged that the corporation illegally tracks and collects user data without proper consent.
  • A small app developer in Germany was one of the first fined under GDPR when it received a €20k penalty for failing to follow security best practices to protect user passwords.
  • The Information Commissioner’s Office (ICO) in the UK issued a formal GDPR enforcement action against a Canadian data analytics firm, demanding that the organization “cease processing any personal data of UK or EU citizens…” The ICO alleged that the firm was “processing personal data in a way that data subjects were not aware of, for a purpose they would not have expected, and without a lawful basis for processing.”
  • Following a probe into a major technology corporation, regulators in Europe have indicated they may issue a US$1.6 billion fine for a data breach impacting 50 million users. The same organization also received a £500,000 fine from the ICO for violation of data protection laws affecting an estimated 87 million people. Notably, the ICO mentioned that the fine would have been considerably higher if the violation had fallen under the scope of GDPR.
  • In November, France’s data privacy regulatory body, the Commission Nationale de L'Informatique et des Libertés (CNIL), imposed GDPR consent requirements for companies in the online advertising industry.
  • Among the first to issue fines under GDPR, data protection authorities in Portugal doled out a €400,000 fine to a hospital for failure to apply appropriate access controls over digital patient data.

Another important lesson from activity in 2018 is that a data breach is not necessarily a breach of data protection laws. The recent airline breach in the UK is a good example – the company was hacked and suffered a breach but responded with transparency and best practices. Thus far it has not been found to be a violation of GDPR. On the other hand, as we’ve already seen in 2019 when the CNIL imposed a €50 million fine relating to the processing of personal data for advertising purposes without first obtaining consent, a data breach is not required to be in violation of GDPR.

As organizations work to prepare for increased GDPR scrutiny they should also keep an eye on other regions where data privacy laws and enforcement actions are increasing due to the spotlight GDPR has put on privacy. Notably, for example, California’s new proposed privacy law which closely mirrors the GDPR is set to take effect January 1, 2020. The trends above should be taken into serious consideration and leveraged to build better practices in 2019, ensuring that information governance and data privacy risk programs are a top priority for company leadership.