GDPR: Top 5 Mistakes Made and Their Penalties

Life is full of opportunities to make mistakes. Sometimes, they can be a good thing. A lesson learned. But then there are other mistakes that simply can’t be benefitted from – ones that you’ll want to avoid altogether. Such as in the case of data privacy law.

The world’s growing list of regulations, policies, and legal frameworks governing how personal information is used online poses a serious risk to businesses that don’t know anything about the issue. While mistakes in marketing and hiring may be fixable, those made in data privacy can have serious implications outright. This article will explore five of the most common missteps of GDPR violations and the consequences they can bring.

GDPR: The Top 5 Mistakes Made and Their Penalties

What Is the GDPR?

Let’s start things off with a quick refresher; what is the GDPR, exactly? Formally known as the General Data Protection Regulation, this legal framework exists to safeguard the integrity of European citizens’ personal information. It was established in 2018 and immediately set a precedent as one of the world’s most comprehensive data laws. The GDPR outlines a long list of provisions that companies must follow when doing business with individuals within the European Union, whether they’re physically located in the region or not. There are some special rules and exceptions, but for the most part, organizations are expected to adhere to the following seven core principles:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability

The Top Five GDPR Mistakes Businesses Make

While the above seven principles seem straightforward enough, the truth is that many organizations fail to follow them in one way or another. Whether intentional or not, it’s in every business’ best interest to avoid common pitfalls like these when handling the data of EU customers:

GDPR Mistake #1: Poor Password Management

The GDPR clearly stipulates that all data controllers must put in place adequate security measures to guarantee the safety of their clients’ data.

One of the most important of these measures is to set up a strong password, whether for logging onto the organization’s computer system, mailbox or any other password-protected server.

Passwords are a simple yet crucial barrier one can put up between unauthorized users and sensitive information.

Still, so many companies make the same common password management mistakes again and again, such as:

• overly-simple passwords with a combination of 6 letters or numbers that is “not sufficiently robust”
• the absence of a double or strong authentication system;
• storage of passwords in clear text;
• the absence of an automatic password renewal system

Poor password management by companies constitutes a breach of Article 32 of the GDPR. Article 84 of the GDPR also states that criminal penalties may be imposed upon those who intentionally or negligently breach this rule.

GDPR Mistake #2: Poor Cookie Consent Management

In the context of digital privacy, cookies are text files stored by a user’s web browser that can contain various types of sensitive data.

Cookies are small, but the risks associated with their misuse or abuse are great. Personal information such as names, passwords and IP addresses may be stored in a cookie, which if mishandled or improperly secured may pose a serious data breach risk.

The GDPR requires companies to obtain specific, freely given and informed cookie consent from users before collecting any personal data through cookies or other type of tracking technology. Read more about cookies in our article: ‘What are Cookies?‘ or read about tracking cookies in particular.

Common violations of this specific provision include:

• failure to provide individuals with enough information on or control over their consent
• unnecessarily complicated cookie consent requests
• a difficult consent revocation process
• the absence of a choice by purpose
• incorrect cookie policy generator

Failure to comply with these rules, as outlined in Article 7 of the GDPR, may result in a range of repercussions, including sanctions from the Data Protection Authority’s restricted panel.

GDPR Mistake #3: Use of a Non GDPR Compliant Service Provider

Some businesses make the mistake of assuming they only have to worry about the data exchanges they handle in-house. However, GDPR also applies to third-party service providers that handle personal data on behalf of your organization.

Under the GDPR, companies must ensure that any service provider they use is compliant with the regulations and only uses the data for the specific purpose that it was authorized. Companies must also ensure that any data transfer to third-party countries is GDPR compliant and includes appropriate measures to protect the personal data of individuals.

It’s important to review any contracts you have with these types of organisations before signing them to make sure they comply with GDPR regulations. Otherwise, you may be held liable in the event of a breach.

GDPR Mistake #4: Use of an American Cloud

The GDPR is big on keeping EU citizens’ data inside regional borders. Information should be obtained then processed on servers located within the bloc’s countries and not sent over to any others, at least not without following due process.

There exists several laws and bilateral agreements that can be used to legitimize data transfers, but they require a certain amount of paperwork and have their own set of rules. U.S. President Joe Biden signed an Executive Order on October 7, 2022, implementing a new framework for the transfer of personal data from the European Union to the United States that is still in its infancy.

Although these direct agreements exist, they’re far from a guarantee of compliance. Lawmakers have introduced several updates and replacements to cross-border data sharing agreements over the past years and that trend is only likely to continue as the landscape complexifies. The easiest way to ensure you’re in-line with Articles 46 and 47 of the GDPR is using an EU-based and EU-owned cloud provider.

CookieFirst’s CMP system uses an EU-based and EU-owned cloud infrastructure for processing and storage of consent data. Try CookieFirst today!

GDPR Mistake #5: No Time Limit On Data Retention

Lastly, we have the obligation that so many data controllers fail to remember before it’s too late – time limits on data retention. The GDPR is very clear about the fact that personal data cannot be kept indefinitely, even after being collected through lawful means.

Organizations are expected to determine retention periods appropriate to the reason the data was collected in the first place. These periods may vary and depend on any legal, accounting, or reporting requirements that exist.

In any case though, not disclosing retention periods in a privacy policy – or worse, failing to use them altogether – is a blatant violation of GDPR rules under Article 5.1.e.

Organizations should consider setting up a system that automatically deletes or anonymizes data after a certain period. This can be done manually, but most organizations find it easier to use automated solutions for this purpose.

The Implications

So, what exactly are companies risking by flouting GDPR rules? The specific penalties handed down can vary from case to case. As we reviewed above, some parts of the law have different reprecussions than others.

Generally speaking, any company that violates the General Data Protection Regulation can expect to incur a minimum fine of €10 million or 2% of annual revenue from the preceding financial year for less severe violations, and €20 million or 4% of annual global turnover for greater infringements.

These penalties are administered by the data protection authority of whichever EU country the company is located in. Depending on the country, there may be other reprecussions as well, such as criminal charges or a requirement to compensate those affected by non-compliance.

In addition to the aforementioned pecuniary penalties, the Data Protection Authority’s restricted panel may also take the following actions against non-compliant businesses:

• issue a call to order
• order data processing be brought into compliance, including under penalty
• temporarily or definitively restrict processing;
• suspend data flows
• make sanctions public

The maximum GDPR handed down to date was to Meta in 2023, after the social media giant was fined $1.3 billion for violating data transfer rules. This serves as a reminder to organizations of all sizes, that GDPR compliance is not something to be taken lightly and can come with serious repercussions.

It’s not surprising that a document as extensive as the GDPR is confusing for many business owners. Countless rules, responsibilities, and rights contrast with one another to make the idea of compliance feel almost unattainable.

Yet despite how advanced it all may seem, the truth is that you’re in no way defenseless against penalties. Learning common mistakes like those we’ve covered in this article are a great way to avoid easy slip-ups and the damage they can cause. Even better, a professional consent management tool like CookieFirst can further insulate your website against potential fines while making the responsibility of maintaining robust privacy measures that much easier.

Take the next step in ensuring your online data compliance by exploring CookieFirst’s suite of solutions today.