If the number of breaches reported since the onset of General Data Protection Regulation portend anything, we’ll no doubt see a number of high figure GDPR fines coming down the pipeline in 2020.
Since May 25, 2018 – the date the GDPR went into effect – there have been over 160,000 data breach notifications. 160,921 to be specific. That number, for what it's worth, has translated to 144 million euros or $126 million in fines under GDPR, according to DLA Piper, an international law firm that's been keeping track of the number of data breaches reported to EU regulators.
As part of its annual Data Breach Report (.PDF) the law firm looks at personal data breaches reported to data protection authorities throughout the European Economic Area, or EEA.
Given the proliferation of stories about data breaches in the headlines, perhaps it’s not a huge surprise that the number is more than double the figure (60,000) DLA Piper reported last year at this time. While yes, this year's report covers a full year of GDPR and its procedures being implemented - 2019's only included the GDPR's 8 months - the numbers still correlate with a 12 percent increase in breach notification rate.
Like last year, the Netherlands experienced the most breaches per capita, 147.2, with Ireland, Denmark, and Iceland not far behind. When looking at the sheer number of breaches overall, Netherlands still took the cake, followed by Germany and the UK.
The report, as many articles about GDPR of late, makes a point to highlight just how few fines there have been so far. Aside from large fines imposed on British Airways and Marriott, which obviously commanded headlines when they were handed down, the money figure isn’t as high as one would expect, especially given the maximum fine against a company could be four percent of its annual turnover.
The law firm posits this will change in 2020, especially as supervisory groups and data protection authorities, like the UK’s Information Commissioner's Office, continue to reinforce their staff.
“It would be unwise to assume that low and infrequent fines will be the norm going forward,” the report reads, “Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines. We expect to see more multi million Euro fines in the coming year.”
Statistics around the report’s total value of GDPR fines are expectedly skewed by France's data protection regulator, CNIL's mammoth 50 million euro fine against Google last January. Absent from the report are also the British Airways and Marriott fines as technically they were notices of intent to fine and not finalized when DLA Piper was drafting up the report.
While the report acknowledges it could be some time until there’s a formal, legal certainty around how GDPR fines should be calculated, it makes a point to drive home that one thing is certain: There will be more of them.