You are here

The Top 3 GDPR offences in Europe – are you at risk?

White Papers & Publications
28 January 2021

As everyone knows, in today’s world, failure to comply with GDPR requirements can lead to administrative, financial, and criminal penalties. And the amount of the incurred sanctions is enough to give companies a scare.

In this article, we wanted to highlight the most common offences to bring to light the causes and especially the actions to implement if it has not yet been done.

 
The top 3 GDPR infractions in Europe:
The top 3 offences have been defined based on data collected via https://www.enforcementtracker.com/
 
  • Insufficient legal basis for data processing – [GDPR, art. 6] - (38% of total number of fines)
  • Insufficient technical and organizational measures to ensure information security – [GDPR, art. 32] - (21% of total number of fines]
  • Non-compliance with general data processing principles – [GDPR, art. 5] - (16% of total number of fines)
 
There is a plus side to every regulation!
What if GDPR were a way to build a stronger identity to put forward to your employees, customers, and partners?


In addition to penalties imposed by national data protection authorities, the company’s reputation is also at stake. And as if that weren’t enough, exposure to cyber risks can be increased, and with it all the associated implications.

Rather than seeing GDPR as a constraint, it should be seen as an instrument that allows the information capital of 2.0 companies to be properly valued and protected and ensure their sustainable digital trajectory.

More than ever, time for a review is essential to strengthen the identity of your organization, its interactivity with market players and contractualise its commitments in the digital age.

 
Good to know:
 

For the period from 25/05/2019 to 20/05/2020, the Data Protection Authority (APD) received 937 notifications of data leaks (e.g., lost, stolen or hacked data), and 351 complaints and requests (this figure combines the number of mediation requests and / or complaints).

Examples of sanctions and reasons published on the APD website:

  • Illegitimate processing of images from surveillance cameras
  • Failure to respect the right to oblivion
  • Data breaches
  • Disproportionate use of eID for the creation of a loyalty card
  • Non-compliance with the rules on cookies

It is a safe bet that some subjects will appear or develop, such as:

  • Management of consent and cookies
  • Processing of webcam images during teleconferences
  • “Schrems II” and its practical and organizational consequences
  • Data management through the Cloud
  • As well as the reasons mentioned in the top 3 European sanctions.
 
Never forget: The aim of the GDPR is not only to guarantee the protection of personal data, but also to enable the "digital economy to develop throughout the internal market" (recital 7 of the GDPR).
 
Our recommendations to minimize these risks and above all consolidate your reputation:
 
  • Awareness should be included in a continuous improvement program so that your staff understand their responsibilities and how their actions contribute to the achievement of your organization's objectives
  • Training allows your employees to understand and apply know-how, combined with their experience to assume their roles and responsibilities
  • A regular assessment will allow you to assess the GDPR maturity level of your organization and define and implement an action plan as part of a continuous improvement process
  • An audit makes it possible to deep dive into subjects considered to be sensitive and can reveal issues, which, once addressed, could constitute a determining factor of differentiation in the market
  • Visibility on technological security becomes central to protect your information capital and meet the requirements of the GDPR
  • 360 ° communication aims to make the commitments of your organization known to all interested parties, internal and external, and to build lasting trust through good information management.

“What is not known is not managed!”

 
What if you don't have a DPO or CISO?
 

Many organizations have decided to entrust the management of their information capital to a partner capable of considering the legal, technical, and organizational requirements specific to the client's context.

Your partner will be able to offer you a service according to the desired objectives and perspectives, both through advice and the implementation of your compliance with the GDPR.

In short, CONFIDENCE, a good UNDERSTANDING of your business and quality COLLABORATION with your partner will be the guarantee of a lasting relationship.

Written by our Privacy Consultants: Olivier Dupont & Alain Brisy


Sources:
 

https://www.autoriteprotectiondonnees.be/professionnel
https://www.cnil.fr/professionnel
https://www.enisa.europa.eu/
https://www.cybersecuritycoalition.be/
https://www.enforcementtracker.com/

 
Share this publication