Data privacy has become a pressing concern worldwide, and new regulations are springing up every year to protect the privacy and personal data of individuals. One major data privacy law, the EU’s General Data Protection Regulation (GDPR), imposes strict regulations on how data is collected, processed, and stored.
Failure to comply with the GDPR can lead to severe consequences, including substantial fines for organizations. The past year alone has seen penalties like Meta’s €390 million and €1.2 billion fines as well as multi-million euro fines for major companies like TikTok, WhatsApp, and Spotify.
But what are the most common GDPR violations? What data processing practices do they involve, and how can they be avoided?
Before we explore the top violations, let’s examine the GDPR’s requirements. At its core, the regulation gives EU individuals greater control over their personal information by mandating strict, transparent data handling practices from organizations. It includes many different rules for different kinds of businesses and data processing activities, but here are some of its core requirements:
Lawful and transparent processing. Personal data must be collected and processed for specific, legitimate purposes, and data subjects must be informed about how their data will be used. Data minimization is also an important aspect of the restrictions on data processing.
Robust individual rights. Data subjects have rights to access their data and request corrections and deletion. Just as importantly, businesses must obtain their explicit and informed consent before processing personal data, and they must make it easy for individuals to withdraw consent at any time.
Internal data processing policies. Some organizations must appoint a Data Protection Officer (DPO) if their core activities involve regular monitoring of individuals on a large scale or processing sensitive data. Others must conduct Data Protection Impact Assessments (DPIAs) for data processing activities that may result in high risks to individual rights and freedoms. All companies must maintain detailed records of their data processing activities, including purposes, categories of data, retention periods, and more.
Cross-border data transfers: If personal data is transferred outside the EU or EEA (European Economic Area), organizations must implement supplementary data protection measures like Standard Contractual Clauses, technological safeguards, or the EU-US Data Privacy Framework.
Data security and privacy by design: Organizations must implement robust security measures to protect personal data from breaches or unauthorized access. Additionally, they must incorporate data protection measures into their systems and processes from the outset — also known as privacy by design and privacy by default.
2022 was a record year for GDPR fines, with over €2.92 billion in fines levied against companies through the enforcement agencies in various EU countries. Compare that to the total amount of reported fines from May 2018 to January 2020: a paltry €127 million.
Not all GDPR fines are made public, so it’s impossible to give an exact ranking of GDPR violations. But we’ll cover five of the most common ones:
This violation can involve several different GDPR articles, but the most commonly cited one is Article 5, which governs how personal data is processed.
Under Article 5, data processing must be done in a lawful, fair, and transparent manner. It must be undertaken for a specific and legitimate purpose — and it must not extend beyond that purpose, meaning that the personal data can’t be subjected to further data processing for different aims.
To avoid incurring fines for non-compliance with general data processing principles, companies must also follow data minimization principles and keep personal data accurate and up to date.
The GDPR aims to ensure that people have insight into how businesses are handling their data. As the website for the regulation puts it: “Individuals have a right to know what data an organization is collecting and what they are doing with it.”
As such, the GDPR grants data subjects certain rights, including the right to access and correct their personal data and, in some cases, the right to have that data erased. A common violation occurs when organizations ignore these rights or delay in fulfilling data subjects’ requests.
To make compliance easier, companies should design and implement a streamlined process for handling data subjects’ requests and responding within the specified timeframe.
Processing data beyond lawful limits is a top cause of GDPR violations. Under the GDPR’s Article 6, organizations are only allowed to process data if they meet one of the six following criteria for lawful processing:
In addition, the GDPR prohibits processing many types of personal data except in certain circumstances. These types of data include information about a person’s racial origin, political opinions, religious beliefs, trade union membership, and health or biometric data.
GDPR compliance is enforced not by a single supervisory body but rather by a different data protection authority (DPA) in each EU member state. These authorities are independent public bodies that are responsible for monitoring GDPR adoption and addressing non-compliance.
Article 58 of the GDPR outlines the many powers of a DPA to investigate data handling practices and issue corrective actions. Organizations are required to cooperate with the DPA in the performance of these tasks when requested, and failing to do so in a timely manner is a common GDPR violation.
Under the GDPR, data controllers and processors are responsible for implementing robust security measures to protect personal data from unauthorized access, disclosure, or loss. This may include technical measures like physical security security, cybersecurity software, and good password practices — or it may include organizational safeguards like employee security training and confidentiality clauses.
Either way, data protection must safeguard personal data against unauthorized access and accidental loss. It must also ensure the confidentiality, integrity, and availability of an organization’s systems — the CIA triad — and the personal data processed within them.
The ShardSecure platform offers advanced data privacy with its innovative approach to file-level encryption. By separating data access from infrastructure providers like cloud storage admins, we protect personal data and support secure cross-border data transfers.
ShardSecure’s approach has been validated by independent privacy attorneys to meet the requirements of Use Case 5 of the EDPB’s recommendations for cross-border data transfers, allowing organizations to store EU personal data within a US cloud provider without violating the GDPR. To learn more about our technology and GDPR/Schrems II compliance, download our white paper or visit our resources page.
Biggest GDPR Fines of 2023 | Skillcast
Data Minimization as a Tool for AI Accountability | AI Now Institute
The General Data Protection Regulation | Consilium
Data Protection Impact Assessment (DPIA) | GDPR.eu
Biggest GDPR Noncompliance Penalties | Spirion
What Are the GDPR Fines? | GDPR.eu
Art. 5 GDPR - Principles Relating to Processing of Personal Data | GDPR.eu
Art. 6 GDPR - Lawfulness of Processing | GDPR.eu
Who’s Enforcing GDPR? - European Data Protection Board | KirkpatrickPrice
Art. 58 GDPR - Powers | GDPR.eu
What Are GDPR Technical and Organizational Measures? | Know Your Compliance
Secure Personal Data | European Data Protection Board
A Guide to Data Security | ICO