News & Resources

GDPR Fines: What’s the Impact to Your Business?

In Thought Leadership, GDPR

GDPR Fines: What’s the Impact to Your Business?

In July 2019 the EU Data Protection Authorities imposed fines of €282 million ($318 million U.S.). The following companies were the targets of the fines and the reasons why the fines were imposed.

  • British Airways, €183 million, Data breach affecting 500,000 customers that occurred between August 21st to September 5th 2018. The data compromised included names, addresses, login information, payment card details and travel bookings.
  • Marriott International, €99.2 million, Data breach that occurred in November 2018. Marriott International, the parent company of hotel chains, admitted that personal data including credit card details, passport numbers and dates of birth had been stolen in a global breach of guest records.
  • UniCredit Bank, €130,000, Disclosure of transaction information for approximately 337,042 people. The bank disclosed payers’ personal details between May 25th and December 10th 2018.
  • Hospitality Sector Entity, €15,000, Mishandling of clients’ personal data. The personal data was in paper format (list of clients having paid for breakfast) and was photographed by unauthorized persons and published online, affecting the data subjects’ right to privacy.

GDPR (General Data Protection Regulation) enforcement started on May 25, 2018 and was established to protect the personal data of EU (European Union) residents regardless of whether the data processing takes place in the EU or not. This means U.S. companies are included in the GDPR scope if they offer goods and/or services to EU residents and process their personal data. Although GDPR has been in place for over a year, only about a quarter of U.S. companies that are subject to GDPR are GDPR compliant. Getting GDPR compliant is costly and many businesses continue to take the wait and see attitude. Since GDPR is an EU regulation many organizations are waiting to see how the regulation will be applied before they invest in a GDPR strategy.


On June 28, 2018, a little over a month after GDPR enforcement started, the California Consumer Privacy Act (CCPA) was signed into law. This law provides privacy rights and consumer protection for residents of California. CCPA becomes effective on January 1, 2020. Individual states continue to be active on expanding their privacy standards. Recently Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements. Congress has held a number of hearings this year and is working on formulating a national privacy law.


Bottom line, data protection and privacy are here to stay. GDPR created a framework to standardize personal data protection and other countries have established or are working on establishing improved data protection laws. Going forward organizations will be expected to prove they can protect their customers’ data. It’s imperative that your organization takes privacy seriously. Business that don’t implement data protection controls will quickly fall behind the curve and over time will lose market share. In the end, people work with people they trust.


Are you having challenges implementing GDPR? Crayon has the GDPR services that can assist you to work towards GDPR compliance. Contact your Crayon Account Manager or contact at


Contact your Crayon Account Manager or contact at

Tony Musielak - BDM