An analysis of violations and sanctions following the GDPR

Authors

  • Wanda Presthus Kristiania University College
  • Kaja Felix Sønslien Sopra Steria

DOI:

https://doi.org/10.12821/ijispm090102

Keywords:

privacy, General Data Protection Regulation, GDPR, data management, violations, sanctions

Abstract

This paper investigates the violations and sanctions that have occurred following the implementation of the General Data Protection Regulation (GDPR). The GDPR came into effect in May 2018 with the aim of strengthening the information privacy of European Union/European Economic Area citizens. Based on existing taxonomies of (i) potential consequences of violating the GDPR (including surveillance, discrimination), (ii) an analysis of 277 sanctions, and (iii) interviews with experts, we offer a mapping of the violations and sanctions almost two years after the regulation was implemented. The most typical complaints were, in descending order: unlawful processing and disclosure of personal information, failure to act on and secure subject rights and personal information, and insufficient cooperation with supervising authorities. Our analysis also indicates an increasing number of fines over time. Regarding size, the fines range from 50,000,000 euros to (symbolic?) 90 euros. While research on GDPR violations and sanctions is somewhat scarce, our study mainly confirms existing findings: that the GDPR is complex and challenging. However, our study provides insight on some of the challenges. Our contribution is mainly practical and aimed at managers in any organization whose goal is to protect information privacy and to learn from the mistakes made by other companies. We also welcome more research on the topic.

Downloads

Published

2021-09-16

How to Cite

Presthus, W., & Sønslien, K. F. (2021). An analysis of violations and sanctions following the GDPR. International Journal of Information Systems and Project Management, 9(1), 38–53. https://doi.org/10.12821/ijispm090102

Issue

Section

Articles