Don’t Let Increased GDPR Fines Hurt Your Bottom Line

by Feb 1, 2021

The European Union’s General Data Protection Regulation (GDPR) was put into effect on May 25, 2018. In the rapidly evolving world of information technology, this can seem like a long time ago. Almost three years, the last of which has seen the world dealing with the COVID-19 pandemic, have gone by since this groundbreaking data privacy regulation was introduced to the business community. 

Things have certainly changed since the GDPR was first unveiled. What began as small fines intended to illustrate a point rather than cause financial pain has evolved. Now larger penalties designed to modify behavior related to data privacy are being levied by regulatory authorities. 

In 2020, fines were increased as it became obvious that many entities were not taking the regulations as seriously as they should. Organizations subject to GDPR fines can experience a big hit to their bottom line. It has become substantially more important from a fiscal perspective for companies to follow the guidelines outlined in the GDPR. 

What Are GDPR Fines?

Two tiers of GDPR fines have been established so that the financial penalty can reflect the severity of the identified violation. For both tiers, the larger amount between the base penalty and annual revenue sets the ceiling for the size of the fine. 

Less severe violations can result in a fine of €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year. This level of fine is opposed for violations of the GDPR that govern the actions of:

  • Data controllers and processors;
  • Certification bodies;
  • Monitoring bodies.

Fines of up to €20 million or 4% of an organization’s worldwide annual revenue from the preceding financial year can be mandated for more serious violations. These are generally related to the core principles concerning an individual’s right to privacy and the right to be forgotten. Penalties that fall into this category are due to violations of GDPR articles governing:

  • Basic principles of data processing;
  • Conditions for consent;
  • Rights of data subjects;
  • International or third-party data transfers;
  • Violations of member state privacy laws;
  • Failure to follow orders from a GDPR supervisory authority.

Multiple criteria are used to determine the existence and severity of a violation. These include considering the scope of the infringement, how many individuals were affected, the damage they suffered, and the length of time it took to resolve the issue. Other factors address whether the violation was intentional or due to negligence and considers if the offending entity has taken actions to mitigate the damage. A history of previous violations will result in a harsher judgment and more substantial penalties for repeat offenders. 

Fines Imposed in 2020

The regulatory agencies responsible for levying fines are increasing the pressure on companies to properly protect against data privacy violations and data breaches. An overall increase of 39% over the previous year and a half has been seen in 2020.

In some cases, there has been disagreement on the severity or existence of a violation between the data protection regulators and national civil courts. These will almost certainly continue as the fined entities appeal the legality of the penalties. From the perspective of an offending company, they need to be prepared to pay the fine if the legal intervention fails.

Large fines have been imposed in 2020 for GDPR violations by several national regulatory entities. While it is too early to say for sure, these fines pave the way for more substantial penalties to become the norm for companies unwilling or unable to take the necessary steps to attain compliance. 

In Germany, multinational Swedish retailer H&M was fined €35.3m for gross disregard of data protection rules associated with its practice of illegal surveillance of its employees. German authorities justify the size of the fine as a means of influencing the behavior of other companies that may violate people’s privacy.

British regulators fined Marriott and British Airways, although the final amounts were greatly reduced from initial penalties. The airline ended up with a €22m fine, with Marriott facing one of €20m. Authorities took into account the effects of COVID-19 on the affected businesses when reducing the original judgments. 

The reduction of the penalties does soften the blow, but fines in the tens of millions of euros should be enough to make the point. Compliance with privacy regulations needs to be a top priority of any enterprise that handles sensitive personal information. 

Keeping Your SQL Servers Compliant with the GDPR

Companies located anywhere in the world that have customers residing in the European Union are subject to the guidelines of the GDPR and need to maintain compliance throughout their IT environment. This can be a challenging task, as it can often be difficult to identify the sensitive data that needs to be protected. Fortunately for organizations using SQL Server to handle their data assets, there is a dedicated tool that can help teams keep their systems compliant with GDPR and other regulatory standards.

SQL Compliance Manager offers database teams an application designed to maintain regulatory compliance in SQL Server environments. The tool can be used to discover sensitive data with an integrated sensitive column search so you know what needs to be protected. Tamper-proof audit and reporting capabilities enable teams to gather evidence to address the questions of internal and external auditors. 

Customizable templates for regulatory guidelines like GDPR, HIPAA, and SOX can quickly be applied to servers and databases. Current settings can be compared to regulatory standards to verify compliance and identify areas that need to be addressed. Alerts can be generated on user-defined events to keep administrators apprised of privileged database user activity. 

Steer clear of GDPR fines by keeping your SQL Servers compliant with data privacy regulations. SQL Compliance Manager will help reduce the chances of an expensive data breach and protect sensitive customer and employee data. It will become increasingly more expensive to take that responsibility lightly.