A recent report, published by the UK-based multinational legal firm DLA Piper, has revealed that since the European Union’s General Data Protection Regulation became enforceable on May 25, 2018, almost 60,000 data breach notifications have been reported to data protection agencies in European Union Member States.
During that period, according to the report, data protection agencies have imposed 91 fines for GDPR breaches. However, these fines were not all related to exposing private personal information. For instance, Google was the company subjected to the highest fine, €50 million, by the French data protection authority (CNIL) in relation to processing personal data for advertising purposes without first obtaining the permission required under the new EU legislation.
Other fines included in the recently released report include a €20,000 GDPR penalty for a German company that failed to hash its employee’s passwords and a company in Austria which was fined €4,800 for excessive use of CCTV cameras that keep watch on a public pathway. Other findings in the report include the fact that the Netherlands was the EU country with the most complaints at 15,000, followed closely by Germany with 12,500 and the UK with 10,600 reports.
It must be noted, however, that a massive surge in GDPR penalties is expected in 2019 as regulators and data protection authorities become more familiar with to the new system and begin the process of evaluating each report. This surge was previously predicted by Raegan MacDonald, Senior Policy Manager and EU Principal for Mozilla.
The DLA Piper report states that: “Regulators are stretched and have a large backlog of notified breaches in their inboxes. Inevitably the larger headline-grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”
Speaking at the launch of the report, Sam Millar, a partner at DLA Piper specializing in cyber and large scale investigations stated: “The regulators have already started to flex their muscles with 91 GDPR fines imposed to date but the fine against Google is a landmark moment and is notable partly because it is not related to personal data breach. We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.” You can read the full report here.
With the trend identified suggesting that there will be a constant increase in GDPR breach notifications and a subsequent increase in GDPR penalties being applied, there is a clear opportunity for businesses to enhance their reputation among prospective clients by bolstering their data protection measures and avoiding any GDPR breaches.