EU GDPR results: first million euro fines and more audits announced

Legal requirements | 09. AUG 2019

About GDPR fines When the EU GDPR was first introduced it came with a warning that fines could reach up to €20 million or 4% of the worldwide annual revenue of the prior financial year. In the meantime it shows how serious this warning was. The UK has announced the highest fines to date: £183 million (€200 million) for British Airways and £99 million (€110 million) for the hotel group Marriott International. France has also already placed fines in the millions: Google got away with the comparatively low sum of €50 million.

Several lawsuits are still being processed. With over 200.000 reported violations in the first year of the EU GDPR we will probably be seeing more fines soon. In Germany, the fines issued in the first year stayed under €100.000. But in the first months of the second year under the GDPR German fines have already climbed up to the €10 million mark and there is no reason to assume it will stop there.

Fairness in data security

A year after the enactment of the regulation, data protection professionals believe the transition phase has come to an end. “2019 will be the year of audits”, announced the state representative for data protection and information security of Baden-Württemberg Dr. Stefan Brink at the beginning of the year. Targets are online trading, public security, traffic, municipal,health and education sectors. Companies that haven’t put the EU GDPR into practice yet might be attracting attention.

Data security is a matter of justice as well. “Those who bet on gaps in their data security cannot thereby find an advantage compared to the data security compliant competition – that itself is a matter of fairness.”, emphasises Dr. Brink.

Encryption is visible, not using encryption is evident

If you wonder about the chances of being caught: it is high indeed. Your recipients can easily see if your email was protected or not: encrypted emails demand corresponding software, use a portal requiring login data or at least ask for a password upon accessing attached data. If none of those security features exist for the email, it was not encrypted.

It is of course not certain if your communication partners report your transmission of unencrypted personal data or not. Note that the EU GDPR not only has to be put into practice, but you also need evidence of doing so.

With our professional Z1 encryption solutions for email and data transfer for companies you can easily become EU GDPR compliant and proove it. If you do not yet have a content email encryption solution that protects your business communication with other businesses or private customers, make your inquiry now.

You can find our assessment for the usabilty of TLS configurations to comply with the EU GDPR here.