Five and a half years ago on a cold, rainy day in Europe, the protection of personal information was an afterthought. Companies ran unchecked and unchallenged, collecting and processing data at will. But in 2016, a savior was born. And two years later in 2018 on May 25th, they appeared.
Happy GDPR Day! On this day in May of 2018, GDPR went into effect in the European Union. Companies now have to comply with the regulation’s 99 Articles to protect data subjects and their information from unlawful and unwarranted collection and distribution. This regulation has spawned other works from other countries as well, such as India’s Personal Data Protection Act (PDPA) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGDP). More countries are following GDPR’s lead, as they realize the need for the protection of personal information.
To see how this regulation applies to you and me, and see an overview of the different articles, refer to the GDPR series on the DDP website. If you’d like to view the full timeline, refer to the link here.
To further commemorate this day, here are the five largest fines over the past few years that have been doled out by the regulation:
- Google – In March 2020, the company was fined $41 million for not providing enough information in consent policies and granting users inadequate control over how their data was processed.
- H&M – On October 5, 2020, the company was fined $41 million for gaining access to confidential employee information that influenced the decision-making of Senior Management regarding those employees that were affected. The Health and religious information of employees was made known and were not necessary to make the decisions. This violates the principal data minimization.
- Telecom Italia (TIM) – On January 5, 2020, the company was fined $31.5 million for several violations over several years. TIM bombarded individuals with aggressive marketing tactics that included phone calls to people on non-contact lists.
- British Airways – In October of 2021, the company was fined $26 million for a breach that occurred in 2018. This fine was lobbied down from the initial amount of $238 million that was intended in 2019. 400,000 customers were affected when hackers stole payment card information and other personal information from BA systems. Insufficient security measures were in place that allowed the attack to occur. One such area is the non-use of multi-factor authentication, which nowadays is a must-have for companies dealing with sensitive data.
- Marriott – The company was fined $23.8 million, down from the initial $123 million, for allowing 383 million guest records to be exposed after the hotel’s guest reservation database was compromised. This hack originated in 2014 in Starwood Group’s guest reservation system. Marriott acquired Starwood in 2016, and the hack wasn’t detected until 2018 (quite a long time to not notice an intrusion…). Marriott failed to perform adequate due diligence when it acquired Starwood, causing the hack to continue for two more years.
The top five total $163.1 million dollars. It could have been higher, but the original amounts were argued down by lawyers and eventually brought us to that number you see above. Each of the instances above could have been avoided if companies had done their due diligence and took measures towards protection. But we’re only in year three, so more fines will follow and companies will continue to develop better protection methods.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.