British Airways was fined £20 million by the UK ICO in 2021 for a data breach affecting 400,000 customers. Amazon was fined €746 million by Luxembourg's data protection authority the same year for GDPR violations in how it processes personal data for advertising.
These aren't edge cases. They're the new normal. And in both cases, the data protection failures were preventable.
1. Treating consent as the default lawful basis for everything
GDPR defines six lawful bases for processing personal data. Consent is one of them, but it's often the wrong one. Consent requires a specific, freely given, unambiguous opt-in that can be withdrawn at any time. If a customer withdraws consent, you must delete their data. For most commercial data processing, legitimate interests or contractual necessity is a more appropriate basis. CDOs who default to consent for everything create both compliance complexity and operational fragility.
2. Not maintaining a Record of Processing Activities (ROPA)
GDPR Article 30 requires organizations to maintain a register of all data processing activities. Most organizations have one, but it's incomplete, outdated, or maintained by a junior compliance officer who doesn't have visibility into all processing. The ROPA should be a living document, updated every time a new system processes personal data. The CDO should own it.
3. Confusing anonymization with pseudonymization
Anonymized data is outside GDPR's scope. Pseudonymized data (data where the direct identifier has been replaced with a code but re-identification is theoretically possible) is still personal data under GDPR. Many organizations claim to have "anonymized" data that is actually pseudonymized, creating a significant regulatory risk when they share that data with third parties.
4. Missing the 72-hour breach notification window
When a personal data breach occurs, GDPR requires notification to the supervisory authority within 72 hours of becoming aware of it. Most organizations don't have a process that makes this possible. The CDO needs to ensure a breach response process exists before a breach happens.
5. Ignoring Data Subject Rights operationalization
GDPR grants individuals eight rights: access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making. Organizations are legally required to respond within 30 days. Most organizations have a process for handling these requests, but it's manual, slow, and doesn't scale. A data subject access request (DSAR) involving multiple systems can take days of manual work per request. At 1,000 DSARs per month, this becomes a significant operational burden that technology must solve.
Knowledge check
1. What fine did Amazon receive from Luxembourg's data protection authority in 2021 for GDPR violations?
2. According to GDPR, within what timeframe must organizations notify the supervisory authority of a personal data breach?
3. Why is consent often the wrong lawful basis for commercial data processing under GDPR?
4. Select ALL correct statements about the Record of Processing Activities (ROPA) according to the lesson.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct statements about anonymization vs. pseudonymization under GDPR.
Sélectionnez toutes les réponses correctes.
6. Underestimating data transfers outside the EU
If you use a US-based cloud provider (AWS, Azure, Google Cloud), you are technically transferring personal data outside the EU. Post-Schrems II, this requires a valid transfer mechanism: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or reliance on the EU-US Data Privacy Framework. Many organizations haven't completed this analysis for all their processors.
7. Not appointing a Data Protection Officer when required
A DPO is mandatory for public authorities, organizations that conduct large-scale systematic monitoring, and organizations that process special category data at scale. Many organizations in these categories don't have one, or have a DPO who lacks independence (the DPO cannot be given instructions about how to perform their tasks).
8. Inadequate vendor management
Every third party that processes personal data on your behalf is a data processor. You need a Data Processing Agreement (DPA) with each one. Most organizations have DPAs for their major vendors but miss dozens of smaller tools, analytics platforms, marketing tools, recruitment software, that process personal data without a compliant DPA.
9. Privacy by design treated as an afterthought
GDPR requires privacy by design and by default. In practice, this means privacy impact assessments (DPIAs) must be conducted before new systems or processes are built, not after. Most organizations conduct DPIAs reactively, when a regulator asks, not before building.
10. Ignoring special category data
Special category data (health, biometric, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records) requires explicit consent or a specific exemption. Organizations frequently process special category data without realizing it, a wellness app processing health data, an HR system processing disability information, an AI model trained on data that reveals religious affiliation.
Use GDPR fines as a business case for investment in privacy infrastructure. The Amazon fine (€746M) was approximately 0.1% of annual revenue, but the reputational damage and ongoing compliance costs were far higher. A €200K investment in privacy management technology, proper DPA management, and staff training is an easy ROIROIReturn on Investment: the ratio of net profit to the cost of an investment. A 300% ROI means each dollar invested returns $3.View full definition → to calculate against that risk.