GDPR Violations and Fines: One Year Later

WM Circle Logo

By: Mike Giambattista, CLMP |

Posted on May 17, 2019

If you believed the hype and headlines, it looked like another Y2K-style calamity was about to hit the business world. Intended originally to be a sensible set of guidelines to (finally) establish fences around consumer data, one year after its mandatory implementation, GDPR has turned out to be little more than an annoyance for businesses, consumers, and the over-seeing bodies.

On the other hand, though its effectiveness is still very much in debate, and the gargantuan fines that it threatens have yet to really materialize, GDPR was the first effort to bring order to the wild, wild west of consumer data practices. If anything good came out of the Facebook / Cambridge Analytica fiasco, it was a heightened awareness of the value of customer data and the rogue (and often downright wrong) practices of those who were handling it.

On May 25th of last year, GDPR went into effect and sent a wave of panic through pretty much every organization that does any business over the internet. We saw countless new EULAs (End-User-Licensing-Agreements) fill up our inboxes. Pop-ups and slide-ins took over virtually every website we visited – all in an effort to head off any of the still-somewhat-vague GDPR violations. It was a fun time to be a web marketer.

Also Read: Building Better Regulations by Example: A Critical Assessment of the GDPR – Part 1

But did it work?

Richard Dutton, is a Director at the Elias Partnership in the UK, providing on-going counsel to major firms on the global issues of privacy, compliance, and GDPR. He is the Executive Secretary of the Board of Regents for the Loyalty Academy and a CLMP.

"GDPR observers waiting for its draconian sanctions to be imposed won’t have to wait too much longer. Both the U.K. ICO and Irish Data Commissioner recently announced that several large investigations were coming to a close over the next few months. 

Also Read: Building Better Regulations by Example: A Critical Assessment of the GDPR – Part 2

Data breaches have provided the media with some impact headlines and forced plenty of CEO's to revise their cyber security budgets. However, it is complaints from the likes of Privacy International being upheld by the Regulators which are most likely to cause the tectonic plates of the data and internet Adtech world to shift. One example is the consent relied on (as a lawful basis for processing personal information under the GDPR) by data aggregators - such as Oracle, Quantcast, Axciom, Experian, Equifax, Criteo and Tapad - is being challenged. Like Facebook’s recent public pivot to “privacy”, the founder of one of these companies also recently published a blog extolling his company’s long-standing commitment to “privacy”. Judgement day is not far away …”

“Massive” GDPR Fines

It hasn’t been for lack of “teeth” in the regulations. Up to 20 million euros or 4% of a company’s global annual revenue for the previous year for the most egregious GDPR violations. According to CNBC, for Facebook, such an upper-level fine could therefore feasibly reach $1.6 billion. Those are scary numbers for most businesses, but for the major data aggregators (Facebook, Google, Apple, etc.) those are merely drops in some very large buckets.  There are concerns that even at those levels, the penalties don’t offer enough of an incentive to create wholesale change. But new GDPR violations are being uncovered almost daily and consumer data is still very much in play in legislatures around the world. And, as of today, there are nine EU member states that have yet to implement GDPR, and the new regulator — the European Data Protection Board — is still setting up shop. 

So maybe the real GDPR measures take effect in 2019?

Mike Giambattista is Editor in Chief at The Wise Marketer and is a Certified Loyalty Marketing Professional (CLMP).