The General Data Protection Regulation (GDPR) has been in effect since 25 May 2018, or a little over a year and a half at this point. In that relatively short amount of time there have been over 160,000 data breaches requiring enforcement, and over $126 million in GDPR fines.
This information comes from the recently published GDPR Data Breach Survey conducted major multinational law firm DLA Piper.
The distribution of GDPR fines
The GDPR stipulates that any data breach that represents a potential risk to the “rights and freedoms” of any persons must be reported to the country’s Data Protection Authority (DPA) within 72 hours of discovery. Organizations are also required to notify the data subjects of the breach without “undue delay.” A breach won’t always result in GDPR fines, but a failure to report and notify properly will.
From the onset of the GDPR to January 27 of this year, there have been 160,921 personal data breaches in the European Union. Both breach notifications and GDPR fines have increased in the past year as data protection authorities appear to be cutting organizations less slack.
A full $57 million of the $126 million total fines under the GDPR was racked up by Google, which was fined in France a year ago for failing to adequately disclose data collection terms to users. Larger fines to British Airways ($230 million) and Marriott ($123 million) for their respective high-profile data breaches have been proposed in the United Kingdom, but have yet to be finalized as of the end of January 2020.
Data protection authorities have a great deal of independence in determining how they will fine organizations. There is already a striking disparity in the number of data breaches reported among EU member nations. The Netherlands (over 40,000) and Germany (over 37,000) lead all member nations, with the United Kingdom (over 22,000) and Ireland (over 10,000) behind them. No other nation has yet to issue more than 10,000 notifications, however. Iceland, Greece and about half a dozen smaller member nations have issued fewer than 500. When results are weighted on a per capita basis, there is little change to the order of this list.
Likewise, some countries are much stricter with their GDPR fines than others. France is the leader, but only due to the massive fine of Google; remove that €50 million fine and it would drop to the back of the pack. Germany, Austria and Italy have been the most active in issuing fines. Seven nations, including Finland and Ireland, have yet to issue a single fine.