Since it was introduced on May 25 2018, €114m in fines and more than 160,000 General Data Protection Regulation (GDPR) data breach notifications have been registered by data protection authorities in the European Union, with this figure is predicted to rise rapidly as the aforementioned breaches are dealt with.
Law firm DLA Piper revealed the figures this week follow conducting a GDPR Data Breach Survey. Ross McKean, partner at DLA Piper specialising in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12 per cent compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations”.
He went on to say: “The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
Since GDPR became enforceable in 2018, data protection agencies in each EU member state have had the power to sanction organisations, found responsible for data breaches occurring, penalties as high as €20m or 4% of annual global revenue for the previous financial year, whichever figure is greater.
There have been some large fines including €50m sanctioned by the French data protection authority against Internet giant Google. This fine was in relation to a lack of clarity on how targeting advertising was being conducted. The UK data protection authority has also been extremely busy and diligent, fining British Airways an initial penalty of €213m for a data breach that revealed the personal data of approximately 500,000 people and, subsequently, issuing a fine of €123m against Marriott Hotels in relation to the data breach that occurred on their databases – revealing the personal details of 339 millions guests around the world. However, the fine fines have not been fully agreed in these two ICO cases, thus they are not included in the DLA Piper survey results.
More recently we have seen other EU Member States issue GDPR fines, emphasising the coming influx of GDPR penalties as the agencies become more familiar with the review and investigation processes and companies have exhausted an perceivable ‘ bedding-in period’ for the legislation. Some of the more recent cases included:
- First Ever UK GDPR Penalty is €325k for London Pharmacy
- €14.5m GDPR Penalty For German Property Firm
- Morele.net Fined €645,000 for lack of GDPR Compliant Security Measures
- Unlawful Use of Facial Recognition Technology Lead to GDPR Penalty in Sweden
Referring to the relatively slow application of penalties to date, McKean said: “It is going to be a slow progress to get the legal certainty regulators need to start whacking companies with higher fines.”
What is becoming clear is that, towards the end of 2019 and beginning of 2020, EU data protections agencies are becoming more and more willing to apply stringent financial penalties for every type of GDPR breach. Companies that are still unsure if they are GDPR compliant or not need to move quickly to address this and companies that believe they are fully-GDPR compliant need to double check everything so nothing is left to chance.