$332 Million in GDPR Fines Issued to Date
The figure, about 272.5 million euros, corresponds to 281,000 data breach notifications issued by regulators across Europe since GDPR went into effect.
Regulators have issued $332 in fines since the European Union's General Data Protection Regulation, Europe's premier data privacy law, went into effect.
The figure comes via a new report pieced together by a popular law firm’s cybersecurity and data protection unit, released this week.
DLA Piper, a global law firm - the third largest in the US by revenue – has regularly published the report, tabulating figures around breach notifications, fines, and other statistics related to GDPR since the legislation went into effect in May 2018.
GDPR, of course, requires organizations in the EU to report if they experience a breach within 72 hours. Those who fail to comply are required to pay fines, either 20 million euros, roughly $24.3 million, or up to 4 percent of their annual global revenue, whichever is greater.
According to the report, over the last 12 months, data protection authorities in Europe have imposed fines totaling 158.5 million euros or $192 million under GDPR. DLA Piper publishes the report every year; at this time last year there had been $126 million in fines under GDPR, meaning this year’s number is $66 million higher than last year’s.
For those interested in comparing and contrasting fine figures, DLA Piper points out the fine figure from the last year correlates to a 39 percent increase over the previous 20-month period, right after GDPR came into effect, suggesting that data protection authorities are getting more accustomed to doling out fines as awareness – and the responsibilities – of GDPR spreads.
When it comes to countries, after two years on top, Netherlands was dethroned this past year; since GDPR went into effect, Denmark experienced the most breaches per capita, 155.6 per 100,000 people. After Denmark, Netherlands and Ireland experienced the most breaches per capita.
As far as total value of GDPR fines, Italy’s data protection regulator has parceled out the most, 69.3 million euros, about $84.5 million, worth of fines since GDPR began. Germany is right behind at 69.1 million euros, $83.7 million, and France is in third at 54.4 million euros or $65.9 million. Estonia, which has 1.3 million citizens, accounted for the fewest fines, just 408 euros.
Regulators across the EU sent 121,165 notices the last 12 months, numbers that boil down to 331 breach notifications per day. That’s a 19 percent uptick from the 101,403 breach notifications, roughly 278 notifications a day, sent in 2019. All together, DLA Piper says 281,000 data breach notifications stemming from GDPR have been issued since the legislation’s inception.
Many of the larger GDPR fines of late stem from organizations not having the appropriate security measures in place.
According to the law firm, omitting “one or more of the following measures has been specifically called out as potentially contributing to a breach of Article 32 and the related Article 5(1)(f) GDPR”
- Monitoring privileged user accounts
- Monitoring access to and use of databases storing personal data
- Implementing “server hardening” techniques to prevent access to administrator accounts
- Encryption of personal data, particularly more sensitive personal data
- Use of multi-factor authentication to prevent unauthorized access to internet-facing applications
- Strict access controls for applications on a needs basis, with prompt removal of access when no longer required regular penetration testing
- Not storing passwords in plain-text unencrypted files (known as hardcoding)
- Logging failed access attempts
- Carrying out manual code reviews to check personal data is not being logged where it should not be
- Processing payment card information in accordance with the PCI DSS Standard
For the report, the law firm looked at fines across the European Economic Area – all 27 European Union Member States - plus the UK, Norway, Iceland, and Liechtenstein. While the UK left the EU last month, the report includes fines levied by the UK's Information Commissioner's Office before the Brexit transition period.