Tuesday, January 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Paying the Price: Compliance Challenges in 2020 and Beyond

Lessons from 2020’s Top 5 GDPR Compliance Fines

by Steve Horvath
December 9, 2020
in Compliance, Featured
begin higher fines zone road sign on green background

As new compliance regulations come to fruition, what can we learn from this year’s biggest GDPR compliance fines? Telos’ Steve Horvath explores the impact of such fines and how to apply lessons learned to create a stronger plan heading into 2021.

The surreal year that is 2020 is almost at its end, and there is no question that it brought about its own unprecedented set of challenges that will continue to be addressed in the new year. The most obvious of these challenges is the pandemic, which wreaked havoc on the health and well-being of individuals around the globe, as well as on the economy, with job loss and overall downturn. In the same vein, security and privacy compliance remained a challenge for organizations, and that often came at a high price.

According to a recent survey from Telos, over the last 24 months, organizations have been found noncompliant with IT security and privacy regulations an average of six times by both internal and third-party auditors, resulting in an average of eight fines and costing an average of $460,000. To put this in perspective, IT security professionals report receiving an average of over 17 audit evidence requests each quarter and spend 232 working days each year responding to these requests. And the race to the cloud only complicates matters further, with 94 percent of organizations reporting they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud.

These figures will likely worsen with the ongoing impact of COVID-19, especially given Gartner’s prediction that by 2023, a staggering 65 percent of the world’s population will have personal data covered under modern privacy regulations, compared to the current 10 percent. With this harsh reality coming to light, it all boils down to one question: How can organizations spend less time on security and privacy compliance activities and more on economic recovery? Well, I am a firm believer that in order to move forward, we must first look back. With that in mind, let’s take a look at the top five GDPR fines that were levied in 2020.

1. H&M Fined $41.3M

Representing the most recent major GDPR fine, H&M was hit with a record-breaking $41.3 million fine in October after illegally surveilling employees in Germany. This invasion of privacy included recording employees on their vacation experiences, as well as even more personal details, including illnesses and religious beliefs. As the highest GDPR penalty in Germany to date, this news topped the charts for 2020 and made waves across the industry. Beyond compliance concerns, H&M has been in hot water for other issues, such as  offensive products and advertising, signaling internal turmoil that may take time to rectify.

2. Italian Telecom Operator TIM Fined $32.5M

Similar to H&M, TIM broke the record of the highest GDPR fine issued by the Italian Data Protection Authority (DPA) (also known as the Garante) in January of this year as a result of the company making promotional calls even if contacts opted out. This was not the first violation of this type for the Italian telecom operator, and it seems unlikely it will be the last. The DPA has notoriously warned other telecommunications companies not to engage in these activities, and since their warnings fell on deaf ears, it slapped TIM with a hefty fine to demonstrate the severity of the issue.

3. Italian Telecom Operator Wind Tre Fined $18.6M

Just six months after TIM was fined, another Italian telecom operator, Wind Tre, was penalized for similar circumstances of unsolicited marketing communications. Even worse, some users had their contact information listed in a public phone directory when they had not agreed to share those details more broadly. Additionally, some of Wind Tre’s mobile applications required permission from users to process their data, and it would take 24 hours to reverse this consent. As the second largest fine administered by the Italian DPA, it is clear that Italy has begun taking a similarly strict approach to data protection as its other EU counterparts.

4. Google Fined $8M

Coming as another surprise in March, the Swedish Data Protection Authority (DPA) fined Google $8.2 million because they did not comply with users’ “right to be forgotten” option to omit their names from search results. More specifically, Google did not remove two of the search results that the Swedish DPA had ordered to be removed. This particular fine was unexpected, given that the Swedish DPA only administered two minor fines before this, but after a few years of auditing, Google took action this year to show how serious it is when it comes to data protection.

5. Health Insurance Company Allgemeine Ortskrankenkasse Fined $1.4M

Just months after the Google GDPR fine, Allgemeine Ortskrankenkasse (AOK) was fined $1.4 million by the German State Data Protection Commissioner after organizing lotteries and collecting more than 500 participants’ personal data for advertising purposes. While the fine was the largest to date to be delivered by the German State Data Protection Commissioner of Baden-Württemberg, they did consider AOK’s cooperation, their standing and influence in the German health care system and the overall impact the pandemic had on the AOK organization to determine the severity of the fine. Without these factors taken into consideration, it’s likely this fine would have been even higher.

Lessons Learned From 2020

What can we learn from these five major GDPR fines from 2020? It is clear that most organizations were penalized for misuse of data related to marketing and advertising. In fact, GDPR has had quite an impact on marketers, as they are only allowed to utilize a user’s data if the individual provides explicit permission, and those in violation “face a fine of $22.3 million or 4 percent of global revenues.” This becomes tricky for marketers, who rely on data collection to do their jobs, as implied consent is no longer commonplace and more stringent regulations are in place.

Only adding to this pressure was and still is the impact of COVID-19. In response, the U.K. Information Commissioner’s Office (ICO) published notes on how to move forward in this new reality, and the European Data Protection Board offered more concrete guidance on testing and tracing apps. The ICO in particular allowed some forgiveness, as they recognized that some organizations would need to allocate resources and attention elsewhere before revisiting data protection. They also vowed to take the new circumstances into account, something we saw with the AOK fine.

In November, we also witnessed California voters bring the California Privacy Rights Act (CPRA) into law, expanding upon the current California Consumer Privacy Act (CCPA). The most notable changes CPRA makes to CCPA is the addition of a “sensitive personal information” category, a new definition of “consent” similar to GDPR’s definition, redefining “sharing” personal information and a slew of other adjustments that will go into effect over the next few years. Within the cybersecurity realm, CPRA likely means more regulations for Chief Information Security Officers (CISOs) to contend with, which may motivate small to midsize organizations to create a more robust compliance program to comply with these rules that may have not existed within their company before.

2021 and Beyond

Looking to 2021, we will likely see even more security and privacy regulations crop up, and with it, the rush to find more effective ways to handle compliance. Two such solutions are automation to reduce costs and increase efficiency (although challenges still exist with collecting and storing this additional data) and migration to the cloud. Another possibility is leveraging artificial intelligence, especially within the financial services sector, where over $4M is spent on compliance activities annually.

These are just a few of the solutions to managing the compliance burden, and there are bound to be more as we head into 2021. Above all, it is important to remember that there is not a one-size-fits-all approach to compliance, and organizations of different sizes with different needs and areas of focus will need to create a customized plan of action to tackle compliance activities.


Tags: Coronavirus/COVID-19CPRAGDPR
Previous Post

Aligning your Compliance Program to the Latest DOJ Guidance

Next Post

Global Financial Institution Fines for AML, Data Privacy and MiFID Rise 26% in 2020

Steve Horvath

Steve Horvath is VP of Strategy and Cloud at Telos, where his focus is on long-term strategic partnerships and solutions spanning the company’s breadth of offerings. Joining Telos in 2006, Steve established a new model for providing professional services in support of the company’s Xacta risk management platform. With over 20 years of practical experience in the information security domain, Steve is considered an expert in risk and compliance for information technology. He is a graduate of the University of Maryland, College Park and maintains both Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certifications.

Related Posts

digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
illustration of man on ladder with binoculars, 2021 outlook concept

Financial Services Compliance in 2021

January 25, 2021
illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
Next Post
burlap sack with euro symbol on blue background

Global Financial Institution Fines for AML, Data Privacy and MiFID Rise 26% in 2020

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights