The GDPR is the European data protection regulation governing the ways in which businesses use data and which extends the rights people have to their own data.

Over one year in and businesses are starting to feel the full effects of the GDPR, with data protection authorities using the full extent of their powers to punish businesses who have failed to get compliant.

Here is our run down of the most controversial fines issued so far.

  1. Google – €50million

France’s Data Protection Authority CNIL issued this huge fine to Google in Jan 2019 to much fanfare from campaigners. Google was always a target for data protection infringements, so it came as no surprise that they became the first major tech company to feel the weight of the law.

Of course, Google are contesting the fine and have since made noticeable changes to their data handling practices – but will it be enough to appease the authorities?

  1. British Airways – €204.6million

The British Data Protection Authority, the ICO, issued the biggest GDPR fine to date to prestigious UK airline, British Airways. A failure to implement appropriate cyber security measures led to the personal data of over 500,000 customers being compromised.

Whilst the airline reported the data breach as per their requirements, the ICO determined that British Airways had failed to adequately protect customers from the hack due to their poor security arrangements.

The fine has not been finalised – both British Airways and other supervisory authorities will be entitled to make their representations before a final figure is released.

  1. Marriott International – €110.4million

The ICO announced their intention to fine Marriott International just one day after the announcement of the British Airways fine. This fine, though smaller than the British Airways amount, was still a significant amount, and the second largest fine issued under the GDPR so far.

Starwood, part of the Marriott group, had been subject to a long-standing cyber security incident, which was reported to the ICO once discovered. It is though the vulnerability began in 2014, exposing an estimated 339 million personal data records.

Once again, both Marriott International and other supervisory authorities will be entitled to make their representations before a final figure is released.

  1. National Revenue Agency of Bulgaria – €2.6million

Though a far cry from the hundreds of millions charged to the multinational corporate above, the €2.6million fine issued to Bulgaria’s National Revenue Agency is the largest fine issued to a government agency, and the fourth biggest fine to date.

The National Revenue Agency’s lack of adequate cyber security led to the personal data of almost 6 million individuals being made illegally available.

The fine demonstrates the independence of the supervisory authorities, and the responsibility of all organisations to comply with the GDPR.

  1. LaLiga (Spanish National Professional Football League) – €250,000

Not a large fine by the standards we’ve seen above, LaLiga is a stand-out fine because of the accusation of ‘spying’ through their app.

The app, downloaded by users to keep track of football scores, game highlights and news, had a dark secret – one that infringed on their users’ privacy and, according to the Spanish Data Protection Authority the AEDP, one that failed to obtain the proper consent.

Once per minute, the app would switch on the microphone and listen to determine whether the user was in a pub screening the football game, and cross referenced this with location data to identify pubs which were screening games without the proper licenses.

LaLiga strongly disagreed with the AEDP, claiming there were at least two occasions where explicit consent is requested, and that the technology is only listening for a specific sound, ignoring other noises such as conversations.

With Data Protection Authorities across Europe ramping up their activities, and with companies of all shapes and sizes under investigation, it’s time to assess your data privacy activities. Whatever type of business you are, Sovy are the experts in data protection. Find out more about their GDPR Privacy Essentials and GDPR eLearning on their website, and get compliant today.