£97 million in fines imposed by European authorities under terms of GDPR

Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. According to DLA Piper’s latest GDPR Data Breach Survey, data protection regulators have imposed £97 million in fines under the GDPR regime for a wide range of infringements, not just for data breaches.

France, Germany and Austria topped the rankings for the total value of GDPR fines imposed with just over €51 million, €24.5 million and €18 million respectively. The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.

The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of the GDPR from 25 May 2018 to 27 January 2019 to 278 breach notifications per day for the current year.

Weighting the results against country populations, the Netherlands again come top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark. From the 27 countries that provided data on breach notifications, the UK, Germany and France ranked thirteenth, eleventh and twenty third respectively on a reported fine per capita basis.

Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1,886 data breach notifications illustrating the cultural differences in approach to breach notification.

The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google for alleged infringements of the transparency principle and lack of valid consent, rather than for any data breach. Following two high profile data breaches, the Information Commissioner’s Office published two notices of intent to impose fines in July 2019 totalling £282 million, although neither of these were finalised as at the date of the report published by DLA Piper.

Issue driven into the open

Commenting on the report, Ross McKean (partner at DLA Piper specialising in cyber and data protection) said: “The GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations. The total amount of fines of £97 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under the GDPR, indicating that we’re still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will receive two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain: we can expect to see many more fines and appeals over the coming years.”

‘Almost compliant is close enough’

Tony Pepper, CEO of Egress, observed: “The recent GDPR Data Breach Survey by DLA Piper has revealed that over 160,000 data breach notifications have been reported across Europe, resulting in fines of up to £97 million GBP, since the legislation came into force in May 2018. In particular, the UK has seen an increase in reported data breaches (11,581) in the past year, putting us in third place behind Germany and The Netherlands.”

He continued: “Our own recent research, entitled ‘GDPR Compliance: Where Are We Now?’, found an ‘almost compliant is close enough’ attitude towards the GDPR in the UK, with less than half of decision-makers (48%, in fact) reporting that their business was fully compliant, indicating that the focus has waned in the past 12 months. Another concerning finding was that only 6% of organisations have taken action to avoid the full potential of the legislation. As the New Year commences, the DLA Piper study highlights the need for organisations to review the protections they’re putting in place around unstructured data, especially so within e-mails, meaning that if sensitive information falls into the wrong hands, the risks of it being exposed are mitigated.”

In conclusion, Pepper explained: “The GDPR demands compliance from businesses of all sizes. They need to take all of the necessary steps towards protecting data. This means adopting a comprehensive layered approach towards data security which enables end users to protect sensitive information in a simple and easy-to-use way. At a time when phishing and other cyber attacks are becoming much more prevalent, it has never been more important to analyse the best way in which to mitigate the risks of data breaches.”

*Not all Member States present within the European Economic Area make breach notification statistics publicly available. Indeed, many have only provided statistics for part of the period covered by DLA Piper’s report so the figures have been rounded up and, in some cases, extrapolated to provide best approximations. Similarly, not all GDPR fines are publicly reported

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts