European Union regulators have issued about $1.72 billion in fines for violations of the EU’s General Data Protection Regulation (GDPR) since its effective date in May 2018.

The top five?

  • Amazon Europe: $798 million
  • WhatsApp: $240.7 million
  • Google: $96.3 million
  • Facebook Ireland: $64.2 million
  • Google: $64.2 million

“It’s not uncommon for GDPR and CCPA breaches to stem from either insecure or illegal measures to properly safeguard personal data or a failure to continuously monitor security controls, and oftentimes it’s a combination of both,” said Troy Fine, senior manager of cybersecurity, risk management and compliance at Drata.

“Once companies achieve the requirements to adhere to data privacy regulations, their security efforts shouldn’t stop there. It requires continuous monitoring to ensure they remain compliant over time in order to lawfully protect and manage personal data.”

What are the other lessons learned from GDPR, which celebrates its fourth birthday this month?

Human Error Can Be Main Culprit

With today’s cloud-based environments and speed of doing business, it’s easy for companies to fall short on maintaining their security posture and eventually fall out of compliance according to the laws, especially ones as strict as GDPR or CCPA, according to Fine.

And because these breaches often stem from human error, an important takeaway for companies of all sizes? Implement automated processes to help continuously monitor their compliance program to avoid major fines or even worse, unauthorized access to that data. “Automation significantly reduces the need to manually oversee these systems and streamlines the steps required to maintain compliance,” Fine said.

Related Article: GDPR Compliance: What Marketers Can Expect in 2022

Be Mindful of the Cookie

Many GDPR breaches involve cookie consent via the infamous "cookie banner," which was the case when Google Ireland was hit with a GDPR fine in January 2022, according to Wendell Lansford, chief marketing officer of Wyng

Under GDPR, consent is defined as “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

“The whole point is for consumers to have full transparency and control when sharing their data — no tricking people, no games, no dark patterns,” Wyng said.

Related Article: The Future of Personalization and 1st Party Data

Give Consumers Transparency 

Privacy and personalization are two opposing forces, inherently in conflict with each other, Wyng added. Consumers want personalization. According to McKinsey, 71% of consumers expect companies to deliver personalized interactions, and 76% get frustrated when this doesn’t happen. But they want it on their own terms; 84% of iOS users opt out of tracking across apps/sites, according to Flurry.

Learning Opportunities

“Rather than try to skirt the privacy issue — by using dark patterns, clever workarounds or whatever else — the key to success is for brands to give consumers transparency, choice and control over their data,” Wyng said. “Brands must personalize experiences based on each customer's personal preferences, and give consumers full control over their preferences.”

Accept the Zero-Party Data Phenomenon

That, Wyng added, is the spirit of zero-party data: data that consumers knowingly and intentionally share with a brand so that the brand can provide more relevant, personalized experiences in return. According to Forrester Research (who coined the term in 2018 around the time that GDPR took effect), zero-party data "can include preference center data, purchase intentions, personal context and how the individual wants the brand to recognize her.”

In other words, you would never share your email address with a brand if you didn't know you could revoke your address (i.e., unsubscribe) whenever you want to in the future, he added. “But,” Wyng said, “because you know you can update or revoke your subscription, you are willing to share your email with a brand you trust. The same goes for zero-party data.”

The big platforms, Wyng noted, are starting to embrace zero-party data themselves. Google announced My Ad Center, which gives consumers more transparency, choice and control over their data, and how it's used to personalize ads.

Securing Your Third-Party Data Ecosystem

Jonas Gille, head of information security at Detectify, noted some lessons learned from the 2020 British Airways GDPR breach. It was fined through GDPR to the tune of $21.3 million for a data breach that occurred in 2018. 

The Information Commissioner’s Office (ICO) found the airline was processing a significant amount of personal data without adequate security measures in place for around 400,000 people. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack in 2018, which it did not detect for more than two months, according to the ICO.

“Hackers managed to steal data from thousands of customers by breaching the organization’s website and app,” Gille said. “Names, email addresses and credit card details were stolen by the attackers.

"Although no specific technical details about the breach were made public, the ICO pointed out that it could have been prevented, as the company seemed to lack basic security practices at the time of the breach, like multi-factor authentication (MFA). It is yet another example that enabling a security mindset and investing in IT security solutions results advantageous, especially considering the pace at which organizations’ external attack surface is expanding.”

Using third parties is basically extending your IT environment without necessarily retaining the control of it, Gille said. In some cases, this may enhance your security posture if the third party has a more rigid security posture than your own. 

“This is however not always the case, and the more third parties you add, the bigger your attack surface becomes,” Gille said. “Obviously, using third parties is a must for the majority of organizations today, but one needs to remember that every new basket means new risks that need to be monitored and managed."