Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.
Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.
In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.
The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.
Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.
“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”