Recently, a data protection regulator in Germany fined the retail giant H&M €35.3 million (£32 million) ($40 million) – the second biggest fine under the GDPR to date. What did H&M do to deserve such an eye-watering fine? Did they lose a lot of personal data? No! Were they hacked? No! In fact, this wasn’t about a data security breach at all – it was for the excessive and unlawful collection of employee data.