The GDPR fines that make the news headlines are relatively small in number. Those fines are often massive penalties against companies that are household names including the €1.2 billion fine against Meta Platforms Ireland in May 2023. However, those types of fines represent only the ‘tip of the iceberg’ and it can be useful to consider the broader picture.
Statistics show that the ‘top 5’ most common types of GDPR violation resulting in fines being issued by supervisory authorities are as follows*:
Insufficient legal basis for data processing; 629 fines; average fine €2.6 million
Non-compliance with general data processing principles; 571 fines; average fine €3.6 million
Insufficient technical and organisational measures to ensure information security; 364 fines, average €1.1 million
Insufficient fulfilment of data subjects' rights; 199 fines, average €0.5 million
Insufficient fulfilment of information obligations; 189 fines, average €1.3 million
Specifying the legal basis for data processing is often the starting point for companies when they are establishing their GDPR compliance. So, it may seem surprising that the most common reason for a company being fined is “Insufficient legal basis for data processing”. It is perhaps more surprising when you consider that companies are required to include this information within their privacy notices and in most cases make the information publicly available on their company websites. So, it appears that many companies have either misunderstood what is expected in relation to this or believed that they could adopt a looser interpretation than the supervisory authorities consider acceptable. With corresponding fines averaging at €2.6 million, many companies may find it useful to review their position and ensure that they have confidence in having ‘sufficient’ legal basis for their data processing activities.
*Data source: https://www.enforcementtracker.com/?insights
Comments