GDPR Enforcement: One Year Later

It has been a little over a year since the EU’s General Data Protection Regulation (GDPR) went into effect, and we are starting to see the impact of GDPR enforcement actions as regulators impose hefty fines on noncompliant companies. Back in November 2018, we noted minimal fanfare in regard to GDPR penalties, however, as we’ve reached the one-year mark, the landscape has shifted. More recent headlines highlighting significant fines illustrate the lack of noise was not a lack of investigative activity. Let’s take a look at a few major cases resulting in monetary fines that reflect the seriousness of the EU’s desire to protect personal data:


UK – Marriot – £99,000,000

Marriot faces GDPR fines related to a breach of the Starwood Hotels guest reservation database, exposing 339 million guest records. The ICO also alleged that Marriott hadn’t conducted proper due diligence when it bought Starwood in 2016. The breach wasn’t discovered until 2018, and Marriot reported it immediately.

UK – British Airways – £183,000,000

As a result of a data security breach on British Airways’ website, approximately 500,000 customer records were vulnerable to third party attackers. The UK’s data protection agency claims that BA’s website was compromised due to a poor cybersecurity system. This represents the largest GDPR fine to date (since the Facebook Analytica scandal).

Spain – La Liga Soccer League – €250,000

La Liga is accused of listening for piracy through its mobile app. La Liga turned on user microphones in order to listen for sounds of the soccer game and determine whether it was streaming using geo-location. La Liga used the information to sue 600 bars for pirating soccer games.


What we can infer from these cases is that regulators across EU member states are not only responding to the breach incidents but are working collaboratively to identify and mitigate other risks to personal data. The intensifying enforcement by the European regulators is driving the desired outcome, businesses are taking their data privacy obligations more seriously. According to the Information Commissioner’s Office (ICO), they are using their power to change behaviors and will use the necessary tools to ensure that personal data is protected, and organizations comply with the law.[1]

In addition to maintaining strict guidelines, regulators are pulling back the curtain on how they process public concerns. According to a recent ICO report, GDPR has resulted in a significant increase in reported personal data breaches, with the ICO being informed of approximately 14,000 incidents from May 2018-May 2019, up from 3,300 in the preceding year. The report also suggests that the new law has had a substantial impact on the number of concerns raised by the public – up from 21,000 between 2017-2018 to 41,000 from May 2018-May 2019. This heightened vigilance means that now, more than ever, organizations must prioritize data privacy to protect and manage the personal data they store.

As regulators continue to hold companies accountable for safeguarding personal data, the contract review process must be a part of the conversation. A Data protection analysis of contracts should come before a breach occurs, meaning that organizations should have visibility and an understanding of what their contractual obligations are before the 72-hour notification clock begins ticking following an incident. By reviewing relevant contracts, the DPO and compliance team can establish which of those contracts require remediation, amendment, or redrafting.

GDPR Contract Compliance
Data Privacy Insight Infographic


Seal’s Data Privacy Insight™ combines powerful AI capabilities with our legal-AI expertise to ensure readiness across business and regulatory landscapes. This added intelligence delivers unparalleled visibility and insight into the corpus of contracts. In light of recent news, companies that have not reviewed their contracts for GDPR and other new data privacy requirements should contact Seal to learn how they can benefit from AI-powered technology to limit data exposure and monetary fines imposed by the EU and other regulatory bodies.

To learn more about Seal advanced analytics for GDPR  <Click Here>