In only three days, businesses big and small with customers in the European Union have been told to cough up a cumulated €315 million in penalties after failing to comply with the GDPR rulebook.
For the first time since the EU’s General Data Protection Regulation took effect in May 2018, it’s hurting the bottom lines of those who fail to comply.
One of the biggest names connected with the first GDPR fines this week was British Airways, which incurred £183.39 million (204 million EUR / 230 million USD) in penalties for a 2018 breach that affected 500,000 customers.
The Marriott hotel chain, which disclosed late last year that hackers accessed its guest reservation database and exfiltrated customer data for years, got fined £99,200,396 (€110,367,384) the next day. These are only the most publicized cases, not necessarily the most recent ones. Marriott said it would appeal the decision by the UK’s Information Commissioner’s office.
On Sunday, Romanian news outlet business-review.eu reported that Unicredit Bank was the first recipient of a GDPR-related fine in Romania -- 130,000 euros.
An investigation into personal data use by Romania’s National Supervisory Authority ties the sanction to a “failure to apply appropriate technical and organizational measures, both in the determination of the processing means and the processing operations themselves, to effectively implement data protection principles, such as minimizing data to a minimum and integrating the necessary safeguards in the processing, to meet the GDPR requirements and to protect the rights of the data subjects,” the publication said.
Also in Romania, named by Deloitte as one of the top five EU countries with investigations pending under the GDPR, data protection authorities fined hotel chain World Trade Center 71.028 lei (15.043 euros) after someone took an unauthorized photo of personal details, printed on a piece of paper, covering 46 customers.
If data protection authorities have been indulgent until now, focusing mostly on applying corrective measures as companies achieve GDPR compliance, starting this week we can no longer say the same thing. For the first time since the GDPR went into effect, organizations that fail to safeguard customer data are incurring painful fines.