An analysis of violations and sanctions following the GDPR
Original version
International Journal of Information Systems and Project Management. 2021, 9 (1), 38-53. 10.12821/ijispm090102Abstract
This paper investigates the violations and sanctions that have occurred following the implementation of the General Data Protection Regulation (GDPR). The GDPR came into effect in May 2018 with the aim of strengthening the information privacy of European Union/European Economic Area citizens. Based on existing taxonomies of (i) potential consequences of violating the GDPR (including surveillance, discrimination), (ii) an analysis of 277 sanctions, and (iii) interviews with experts, we offer a mapping of the violations and sanctions almost two years after the regulation was implemented. The most typical complaints were, in descending order: unlawful processing and disclosure of personal information, failure to act on and secure subject rights and personal information, and insufficient cooperation with supervising authorities. Our analysis also indicates an increasing number of fines over time. Regarding size, the fines range from 50,000,000 euros to (symbolic?) 90 euros. While research on GDPR violations and sanctions is somewhat scarce, our study mainly confirms existing findings: that the GDPR is complex and challenging. However, our study provides insight on some of the challenges. Our contribution is mainly practical and aimed at managers in any organization whose goal is to protect information privacy and to learn from the mistakes made by other companies. We also welcome more research on the topic.
Description
General permission to republish in print or electronic forms, but not for profit, all or part of this material is granted, provided that the International Journal of Information Systems and Project Management copy right notice is given and that reference made to the publication, to its date of issue, and to the fact that reprinting privileges were granted by permission of SciKA - Association for Pro motion and Dissemination of Scientific Knowledge.