Data Privacy

GDPR fines heading for £100m, survey finds

A new survey showing the first significant fines under GDPR will start to dispel fears about whether the personal data protection law actually has teeth.

According to law firm DLA Piper’s latest GDPR Data Breach Survey, data protection regulators have so far imposed €114 million (approximately £97 million) in fines for a wide range of GDPR infringements, including data breaches.

The fines were across the European Economic Area (EEA), which includes all 28 EU member states plus Norway, Iceland and Liechtenstein, between May 25 2018 and January 27 2020.

The survey found that there have been 160,921 personal data breaches reported within the EEA since May 25 2018.

Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 incidents respectively.

The countries with the fewest breaches notified were Latvia, Cyprus and Liechtenstein with around 173, 94 and 30.

France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over €51 million, €24.5 million and €18 million respectively.

The highest GDPR fine to date is €50 million imposed on Google by the French data protection regulator, not for a data breach but for alleged infringements of transparency and lack of valid consent.

The UK’s Information Commissioner’s Office (ICO) published two notices of intent to impose fines in July 2019 totalling £282m  – for the British Airways and Marriott Hotels data breaches – although neither of these have yet been finalised.

While it remains the case that relatively few fines have still been imposed under the GDPR regime, especially in relation to the number of data breaches reported, the report’s authors warn against getting complacent with regards to the future:

“It would be unwise to assume that low and infrequent fines will be the norm going forward.

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines.

“We expect to see more multi million Euro fines in the coming year.”