It’s now a year since GDPR came into force; for those firms already PCI DSS compliant, the good news was that you were probably already in line with many of the details of the law. Nevertheless, due to the scale of the financial penalties that could result from non-compliance – or simple poor practice – it’s been a serious consideration for all firms to take on board.
In the twelve months since the EU’s data protections guidelines originated, we have seen a number of enforcements take place across Europe.
Here we provide a quick snapshot of some of key milestones to have occurred since GDPR commenced, including several high-profile fines against firms deemed to be violating the rules:
- GDPR fines have so far totalled €56 million*1
- Google was the sole recipient of a fine totalling €50 million*2
- Uber was fined £385,000 by the Information Commissioner’s Office*3
- There have been more than 200,000 investigations of which 64,000 were upheld*1
- Facebook is facing 11 investigations under the rules*1
- A Portuguese hospital was fined €400,000 for a violation of the rules*4
- Ireland’s Data Protection Commission has launched 19 statutory investigations, 11 of which focus on Facebook, WhatsApp and Instagram. Twitter and LinkedIn are also under investigation.*5
- Denmark’s Data Protection Authority Datatilsynet (DPA) fined taxi company, Taxa 4×35, around €160,000 for its “over-retention” of certain customer data.*6
Ultimately, GDPR requires that firms must make sure that any data collected is used purposefully. It must not be collected without telling customers why it is being collected, plus there is an obligation to tell customers what you intend to do with the data and, importantly, to keep all data secure from breaches.
Of course, complying with PCI DSS – or even de-scoping from it completely – can help take a great deal of pressures off.