GDPR fines: The story so far

Just over six months has passed since the GDPR implementation deadline. Corporate governance teams across Europe and – to a lesser extent – the rest of the world spent considerable time and resources preparing for the new regulation.

The financial stakes for data failings are now much higher than ever before for companies. In the UK, the previous maximum penalty available to the Information Commissioner’s Office (ICO) for mishandling data was £500,000. Now, businesses face paying €20 million or 4% of their revenue, whichever is higher.

How are GDPR fines working in practice?

It’s not quite clear in what circumstances maximum fines will be handed down yet, but the financial ramifications could be significant. For example, Google’s parent company Alphabet posted its first $100 billion (£79 billion) year in 2017. In fact, annual sales reached $110 billion for the company.

Taken at face value, the company would seemingly face a fine of $4.4 billion – or £3.47 billion – if a serious breach occurred. Just to be clear, there are no indications Google’s systems are anything but fully GDPR compliant. The firm merely serves as a good example of how prodigious fines could be for some of the world’s most successful businesses.

But we might not have to rely on hypotheticals much longer, as the first GDPR fines are already filtering through. Here are examples of penalties regulators are looking to impose on organisations that have allegedly breached the regulation:

1. Central Hospital of Barreiro Montijo – €400,000

The Portuguese Data Protection Authority (CNPD) fined the hospital for allowing too many employees to access patient records. The health facility has less than 300 doctors, yet nearly 1,000 staff had the same level of access to sensitive data as medical practitioners. Doctors also allegedly had unrestricted privileges regardless of their specialty.

Media reports suggest the hospital is appealing the fine, half of which would go to the CNPD’s budget. The hospital looks likely to claim the Portuguese Health Ministry provides its IT systems and should be ultimately responsible, but whether this will reduce liability is currently unclear.

2. – €20,000

The website, which is among Germany’s largest chat platforms, told one of the country’s data protection regulators that the personal details of over 330,000 users were compromised after a hacking incident.

Cyber criminals were able to access emails, passwords, real names and addresses for some users. Despite the seemingly serious nature of the breach, the regulator said the chat site had co-operated fully and implemented new measures to prevent further problems, resulting in a fairly lenient fine.

3. Austrian entrepreneur – €4,800

Multinational law firm Freshfields Bruckhaus Deringer has reported on a GDPR fine issued against a retail entrepreneur in Austria, marking what appears to be the country’s first penalty under the regulation.

The entrepreneur installed a CCTV camera in front of his outlet that recorded a large part of the pavement outside. According to the Austrian Data Protection Authority (DSB), large-scale surveillance of public spaces contravenes GDPR rules, particularly as the camera was not sufficiently labelled as a commercial recording device.

4. Marriott International – TBC

Earlier this month, Marriott International revealed hackers gained access to approximately 500 million guest accounts. Nearly two-thirds of those affected may have had passport numbers, emails, dates of birth and mailing addresses stolen. The hotel giant has also been unable to rule out the possibility that credit card information was exposed.

Marriott has informed the ICO of the incident, which could fall under the most serious category of breaches. The company reported $22.9 billion of turnover in 2017, meaning a 4% fine would cost $916 million or £720 million.

Are firms still lagging with GDPR compliance? 

A new IT Governance report claimed only 29% of organisations were fully compliant with GDPR even after the deadline had passed. However, the results don’t appear to show what proportion of these businesses are based in the EU, with responses coming from the Americas, Asia, the Middle East and Europe.

Nevertheless, Marriott International’s situation may act as a wake-up call for global businesses with an EU customer base. As fines continue to roll in, organisations will likely need to reassess their current cyber security measures and overall GDPR compliance levels.

Would you like to discuss IT security and resilience hiring? Please contact me on 020 7936 2601 or via email at

Image credit: Philip Veater via Unsplash