GDPR Penalties Amount to €273m since Introduction of Legislation

Law firm DLA Piper has published a report that shows European Union-based businesses paid fines totalling €272.5m ($329m) for an extensive list of breaches of the General Data Protection Regulation (GDPR) since it was first introduced on May 25 2018.

The aggregate daily rate of breach notifications in Europe registered double digit growth for the second consecutive year with 331 notifications per day since 28 January 2020, a 19% increase compared to 278 breach notifications per day for the previous 12 months.

The report comments that there is widespread evidence that there remains a “failure to implement appropriate security measures”.  This is one of the chief  factor leading to the continued growth of the GDPR fines. In the two years since GDPR became enforceable it has slowly become apparent what data protection agencies are deeming appropriate behavior in relation to GDPR. It is now becoming easier to companies to achieve full GDPR compliance as what regulators expect to be put in place becomes clearer. This includes: ongoing monitoring of privileged user accounts and databases that hold personal information, server security measures that safeguard administrator accounts, encryption & multi-factor authentication to secure access and files.

In order to avoid staff members from doing something that may lead to a GDPR breach it is wise to provide ongoing training in relation to what is permissible in relation to managing private data. This, in tandem with giving new members of staff an on boarding session in relation to GDPR, will go a long way to helping companies avoid GDPR penalties.

The GDPR penalties were paid by companies based through the 27 EU member states and the UK, Norway, Iceland and Liechtenstein. The largest proportion was paid by companies based in Italy (€69.3m) followed closely by Germany (€69.1m) and France (€54.4m).

Over figures revealed in the report include:

  • 281,000 GDPR data breach notifications have been issued.
    • This was comprised by Germany (77,747), The Netherlands (66,527), the UK (30,536), France (5,389) and Italy (3,460).
  • Companies in Europe have paid €272.5m ($329m)
  • Highest GDPR fine is €50m – issued against Google by French data protection regulator CNIL.
  • Two GDPR penalties in the UK were reduced from £282m in total to £28.4m
  • Denmark  had the highest number reported breaches per 100,000 people with 155.6 per 100,000 people – other countries registered the following results:
    • Netherlands 155.6
    • Ireland 127.8
Ross McKean, chair of DLA Piper’s UK Data Protection & Security Group said: “Fines and breach notifications continue their double digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high profile fines being reduced due to financial hardship.
He went on to say: “During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt.”