More than a luxury: Understand the true costs of GDPR non-compliance
On the surface it would not seem as though the General Data Protection Regulation, better known as GDPR, and luxury brands like Ducati or Hermès have anything to do with each other. And for the most part they don’t. But when GDPR non-compliance penalties are framed in terms of how many of a luxury item a person could buy, it becomes more tangible than simply explaining what GDPR costs in monetary terms. Even the lowest financial penalty is significant, and could easily force smaller companies out of business. Meanwhile for larger companies, the sums seem staggering when put into real terms… for the average person or small business, purchasing one Ducati motorcycle or Hermès Birkin bag can seem out of reach… but for the Googles of the world, just one GDPR penalty levied against them could literally purchase hundreds of motorcycles or more than 100 of the most expensive and most coveted Birkin bags.
Since the EU’s GDPR came into force in May 2018, companies of all shapes, sizes and types have scrambled to comply with its data-protection and privacy mandates. The consequences of GDPR non-compliance – hefty fines – have not always proven to be a compelling deterrent. Four years of GDPR enforcement later, some of the largest fines illustrate the true costs of GDPR as well as its status as “the new cost of doing business”.
What is GDPR?: Refresher
The GDPR is one of the world’s toughest data protection laws, putting data privacy regulation into practice. It is a legal framework that governs how personal data is collected, processed and stored. While it is a European Union endeavor to protect the data of EU citizens and residents, its reach extends to companies that handle or manage that data, regardless of where the company is located.
GDPR serves as a blueprint for privacy regulations that have since been launched in other jurisdictions. GDPR requires that companies have an end-to-end understanding of how data is handled and used. Non-compliance penalties have been designed to make companies think twice about the consequences and costs.
What will GDPR non-compliance cost a company?
GDPR non-compliance is costly. The GDPR regulation recognizes two levels of severity in violations to GDPR. The less severe tier could yield a financial penalty of up to EUR 10 million, or 2% of the company’s global annual revenue from the preceding financial year, whichever amount is higher. The more severe option could see a company fined up to EUR 20 million, or 4% of annual global turnover, whichever is higher.
Since taking effect, there have been just over 1,000 fines issued for GDPR non-compliance. Most analysts say that while GDPR enforcement got off to a slow start, GDPR is being applied and enforced more widely as time goes on. In 2020, fines increased by 40% as regulators started to hit their stride and accelerate enforcement. In becoming increasingly strict in applying the regulation, fines increased sevenfold to USD 1.2 billion by the beginning of 2022. This means that adhering to the GDPR’s mandates is more important than ever in avoiding the consequences.
The costliest GDPR violations… and what luxuries they translate to
While enforcement started low and slow, new penalty records have been set throughout 2021 and 2022. While earlier, and much smaller, penalties hit consumer companies like H&M, Telecom Italia, British Airways and Marriott Hotels – in much-publicized data breach cases – larger non-compliance cases and fines have affected Big Tech/FAANG companies the most.
1. Amazon — €746 million ($877 million)
At almost 15 times bigger than the previous record. The reason for the record-breaking fine is thought to be about cookie consent.
This was not Amazon’s first run-in with GDPR, having first been hit with a EUR 35 million fine in 2020 for cookie consent violations.
Luxury translation: For the amount Amazon had to pay in GDPR violations, it would easily be possible to buy your own private island.
2. WhatsApp (Meta) — €225 million ($255 million)
WhatsApp was hit with a EUR 225 million GDPR penalty by Ireland, which argued that the messaging service did not properly explain its data processing practices in its privacy notice.
Luxury translation: For the amount in fines that WhatsApp has had to pay, it would be possible to buy one luxury super yacht. More “standard” yachts can be had for anywhere from USD 500,000 to USD 50 million – meaning that you could purchase multiple yachts of many sizes to keep all over the world for EUR 225 million.
3. Google Ireland — €90 million ($102 million)
Luxury translation: At USD 18.7 million, the Bugatti La Voiture Noire is the most expensive car in the world. While it is not available in production to purchase, if it were, you could buy five of these for the amount Google Ireland had to pay in GDPR fines. You could get 100 of the McLaren P1, the 20th most expensive car in the world, at just over USD one million for this kind of money.
4. Facebook — €60 million ($68 million)
Facebook’s non-compliance has been a double whammy – first with the WhatsApp fine (see above), and then a EUR 60 million penalty for Facebook itself in 2022. Why? They failed to obtain proper cookie consent from users.
Luxury translation: For the amount of the Facebook fine, you could buy about 150 of the world’s rarest, most expensive Hermès Birkin bags. Sold by Christie’s at USD 380,000 the “Himalaya Niloticus Crocodile Diamond Birkin 30” is touted as the world’s most expensive bag.
5. Google LLC — €60 million ($68 million)
Related to the larger fine levied against Google Ireland for its mishandling of YouTube cookie consent, this fine against Google’s California headquarters was as a result of cookie mishandling on the Google search platform.
Luxury translation: For the amount of the Google fine, you could buy 600 of the exclusive, money-is-no-object, production Ducati Superleggera motorcycle, at EUR 100,000 each.
Hidden costs: Brand trust and reputation
Regardless of the size of your business – or the GDPR fine you should avoid at all costs – consumers are becoming more savvy and concerned about data privacy and their rights. They trust you with their data. Violating that trust, even if unintentionally because of poorly implemented GDPR measures, is not easy to recover from, and can cost you in terms of brand reputation. Consumer trust can’t be purchased at any price.
How can you comply with GDPR?
GDPR compliance is important – and required – but not a core competency for most companies. As you build on your data collection and content marketing strategies, you need to continually monitor your GDPR compliance. With thorough initial GDPR gap analysis and regular evaluations of your data protection and privacy stance, you can understand what you’re doing right, where your risk areas and weaknesses are, what data protection measures you need to take, and how to implement them.
Mind The Gap offers hands-on GDPR compliance consultation services, helping you focus on your core business while we put our expertise to work helping you become GDPR compliant across channels and markets, helping manage your consent management efforts and technical GDPR implementation.
The complexity is clear, and the tangible and intangible costs of non-compliance are even clearer. We’re here to help. Get in touch to discuss how Mind The Gap’s GDPR solution can keep you ready for data protection efforts now and in the future.