Fines Are No Longer A Threat But A Reality For GDPR Breaches

Massive fines are no longer a threat but a reality following the French Data Protection Authority’s decision to fine Google €50 Million for breaches of the GDPR.

Here are the main lessons to be learnt from that decision:


Privacy information must be easily accessible– users in Google’s case had to click on as many as five or six links to find all the relevant privacy notice information. The ICO’s advice is that privacy notice information should not be more than two clicks away on your website.

Privacy information needs to be clear and comprehensive – in Google’s case the reasons for processing the data were described in a too vague and generic manner, as were the categories of data processed. In addition, the legal basis being relied upon in relation to each processing activity was not clear. In particular, it was not easy for users to understand that the legal basis being relied upon for advertising personalisation was consent, not legitimate interests, and therefore users had the right to withdraw that consent.

Retention periods need to be provided for each type of data – in Google’s case, retention information was not provided for some data.

The clear message from the Google case is that simply having a privacy notice is not sufficient. The privacy notice must be fit for purpose and conform with the specifications of the GDPR in detail. Many organisations, in the rush to finalise and publish privacy information before 25 May 2018, may have adopted a “that’ll do” attitude towards their privacy notice. The Google case clearly demonstrates that won’t be sufficient to avoid a penalty. Now is the time to revisit your privacy notice to ensure that it passes the GDPR test. Ask yourself whether:

  1. The privacy notice is visible from all pages of your website.
  2. All the information required by the GDPR is accessible by 2 clicks.
  3. All the categories of personal data you process are set out.
  4. All your reasons for processing personal data are made clear.
  5. It is clear what your legal basis for each processing activity is, it is clear that merely publishing a list of general legal bases without reference to the specific processing activities to which they relate is not sufficient.
  6. Retention periods are provided for all types of data. These need to be specific not generic periods such as “for as long as is necessary”.

Work your way through our GDPR Privacy Notice checklist to determine whether your organisation’s privacy information is up to the required standard.


Geldards have developed a breach reporting assessment tool to give you a broad idea of the type of questions you should consider to help determine whether a personal data breach is reportable. Download our breach reporting assessment tool here. Together with Geldards’ data breach notification procedure this should provide your organisation with an appropriate risk assessment process to determine when it is appropriate to notify the ICO of a personal data breach.


GDPR is an ongoing process and to assist your organisation in keeping up with the latest developments, Geldards have teamed up with RealSense, a leading e-learning provider, to develop a cost-effective online learning solution designed to raise staff awareness throughout your organisation of GDPR requirements and help keep them up to date. This course is aimed at staff members in all organisations that handle personal data and integrate with all recognised learning platforms.

For further information or if you wish to obtain a fixed fee quotation, please complete the form on this page and one of our GDPR law experts will be in touch.

Like to talk about this Insight?

Get Insights in your inbox

To Top