As new compliance regulations come to fruition, what can we learn from this year’s biggest GDPR compliance fines? Telos’ Steve Horvath explores the impact of such fines and how to apply lessons learned to create a stronger plan heading into 2021.
The surreal year that is 2020 is almost at its end, and there is no question that it brought about its own unprecedented set of challenges that will continue to be addressed in the new year. The most obvious of these challenges is the pandemic, which wreaked havoc on the health and well-being of individuals around the globe, as well as on the economy, with job loss and overall downturn. In the same vein, security and privacy compliance remained a challenge for organizations, and that often came at a high price.
According to a recent survey from Telos, over the last 24 months, organizations have been found noncompliant with IT security and privacy regulations an average of six times by both internal and third-party auditors, resulting in an average of eight fines and costing an average of $460,000. To put this in perspective, IT security professionals report receiving an average of over 17 audit evidence requests each quarter and spend 232 working days each year responding to these requests. And the race to the cloud only complicates matters further, with 94 percent of organizations reporting they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud.
These figures will likely worsen with the ongoing impact of COVID-19, especially given Gartner’s prediction that by 2023, a staggering 65 percent of the world’s population will have personal data covered under modern privacy regulations, compared to the current 10 percent. With this harsh reality coming to light, it all boils down to one question: How can organizations spend less time on security and privacy compliance activities and more on economic recovery? Well, I am a firm believer that in order to move forward, we must first look back. With that in mind, let’s take a look at the top five GDPR fines that were levied in 2020.
1. H&M Fined $41.3M
Representing the most recent major GDPR fine, H&M was hit with a record-breaking $41.3 million fine in October after illegally surveilling employees in Germany. This invasion of privacy included recording employees on their vacation experiences, as well as even more personal details, including illnesses and religious beliefs. As the highest GDPR penalty in Germany to date, this news topped the charts for 2020 and made waves across the industry. Beyond compliance concerns, H&M has been in hot water for other issues, such as offensive products and advertising, signaling internal turmoil that may take time to rectify.
2. Italian Telecom Operator TIM Fined $32.5M
Similar to H&M, TIM broke the record of the highest GDPR fine issued by the Italian Data Protection Authority (DPA) (also known as the Garante) in January of this year as a result of the company making promotional calls even if contacts opted out. This was not the first violation of this type for the Italian telecom operator, and it seems unlikely it will be the last. The DPA has notoriously warned other telecommunications companies not to engage in these activities, and since their warnings fell on deaf ears, it slapped TIM with a hefty fine to demonstrate the severity of the issue.
3. Italian Telecom Operator Wind Tre Fined $18.6M
Just six months after TIM was fined, another Italian telecom operator, Wind Tre, was penalized for similar circumstances of unsolicited marketing communications. Even worse, some users had their contact information listed in a public phone directory when they had not agreed to share those details more broadly. Additionally, some of Wind Tre’s mobile applications required permission from users to process their data, and it would take 24 hours to reverse this consent. As the second largest fine administered by the Italian DPA, it is clear that Italy has begun taking a similarly strict approach to data protection as its other EU counterparts.
4. Google Fined $8M
Coming as another surprise in March, the Swedish Data Protection Authority (DPA) fined Google $8.2 million because they did not comply with users’ “right to be forgotten” option to omit their names from search results. More specifically, Google did not remove two of the search results that the Swedish DPA had ordered to be removed. This particular fine was unexpected, given that the Swedish DPA only administered two minor fines before this, but after a few years of auditing, Google took action this year to show how serious it is when it comes to data protection.
5. Health Insurance Company Allgemeine Ortskrankenkasse Fined $1.4M
Just months after the Google GDPR fine, Allgemeine Ortskrankenkasse (AOK) was fined $1.4 million by the German State Data Protection Commissioner after organizing lotteries and collecting more than 500 participants’ personal data for advertising purposes. While the fine was the largest to date to be delivered by the German State Data Protection Commissioner of Baden-Württemberg, they did consider AOK’s cooperation, their standing and influence in the German health care system and the overall impact the pandemic had on the AOK organization to determine the severity of the fine. Without these factors taken into consideration, it’s likely this fine would have been even higher.
Lessons Learned From 2020
What can we learn from these five major GDPR fines from 2020? It is clear that most organizations were penalized for misuse of data related to marketing and advertising. In fact, GDPR has had quite an impact on marketers, as they are only allowed to utilize a user’s data if the individual provides explicit permission, and those in violation “face a fine of $22.3 million or 4 percent of global revenues.” This becomes tricky for marketers, who rely on data collection to do their jobs, as implied consent is no longer commonplace and more stringent regulations are in place.
Only adding to this pressure was and still is the impact of COVID-19. In response, the U.K. Information Commissioner’s Office (ICO) published notes on how to move forward in this new reality, and the European Data Protection Board offered more concrete guidance on testing and tracing apps. The ICO in particular allowed some forgiveness, as they recognized that some organizations would need to allocate resources and attention elsewhere before revisiting data protection. They also vowed to take the new circumstances into account, something we saw with the AOK fine.
In November, we also witnessed California voters bring the California Privacy Rights Act (CPRA) into law, expanding upon the current California Consumer Privacy Act (CCPA). The most notable changes CPRA makes to CCPA is the addition of a “sensitive personal information” category, a new definition of “consent” similar to GDPR’s definition, redefining “sharing” personal information and a slew of other adjustments that will go into effect over the next few years. Within the cybersecurity realm, CPRA likely means more regulations for Chief Information Security Officers (CISOs) to contend with, which may motivate small to midsize organizations to create a more robust compliance program to comply with these rules that may have not existed within their company before.
2021 and Beyond
Looking to 2021, we will likely see even more security and privacy regulations crop up, and with it, the rush to find more effective ways to handle compliance. Two such solutions are automation to reduce costs and increase efficiency (although challenges still exist with collecting and storing this additional data) and migration to the cloud. Another possibility is leveraging artificial intelligence, especially within the financial services sector, where over $4M is spent on compliance activities annually.
These are just a few of the solutions to managing the compliance burden, and there are bound to be more as we head into 2021. Above all, it is important to remember that there is not a one-size-fits-all approach to compliance, and organizations of different sizes with different needs and areas of focus will need to create a customized plan of action to tackle compliance activities.