Ever since GDPR came into force back in May 2018, EU regulators have increasingly upped their game when it comes to fining organisations with poor data policies or those that suffered data breaches. So, what’s the story behind GDPR penalties so far?
That’s what a new report from law firm DLA Piper details, looking at the full impact of the regulation. It turns out that EU regulators have fined businesses with an estimated €114 million in penalties for data breaches or substandard practices since GDPR came into force.
So far, France, Germany and Austria have reported the biggest fines. France has delivered the largest penalty at €50m. The French regulator penalised Google after the company infringed the transparency principle and failed to provide adequate consent options.
Across the entire EU plus Norway, Iceland Liechtenstein (who are not EU members – they are members of the EEA), over 160,000 breaches have been reported since May 2018.
Of these breaches, the Netherlands had the highest number of offenders with 40,647 breaches notified to regulators. Germany has the second highest with 37,636, and Britain ranked third with 22,181.
GDPR Is Just Getting Started
Clearly there have been massive fines across the continent, but these aren’t as large as the possible fines regulators can issue under the GDPR. Regulators have the power to issue penalties of up to €20m or 4% of global turnover, whichever is higher. As legal precedents continue to mount as more fines are issued, expect the value of fines to go up exponentially.
There is evidence that this is already happening, with larger fines on the way in the UK.
For instance, the UK’s ICO has already confirmed its intention to fine British Airways £183m for computer attacks that exposed 500,000 customers’ data in 2019, and hotel chain Marriott £99m for a cyber-attack that resulted in hackers stealing the records of 339m guests.
EU anti-trust cases have resulted in far heftier fines. Google received a €4.3bn fine over the Android mobile OS in 2019, which it is still appealing against.
As more GDPR infringements occur, regulators will have the legal precedent to issue increasingly higher fines. The current €114m total is paltry in comparison to the maximum fines regulators could issue. Enforcement activity is sure to rise soon.
The onus is on companies to take better care of their data and to pay greater attention to their security. It means working with trusted partners that take data seriously and understand how to use it both effectively and legally. But given that substantial fines have been issued to well-known brands in such a short space of time, it’s safe to say many companies still struggle with data.
In other words, there’s a lot of opportunity for companies to step up and capitalise by harnessing data correctly. Don’t let the fines deter you – embrace data in the right way today.