Skip to main content
close search
site logo
Dive Brief

Less than 2 years in, GDPR fines hit $126M

Published Jan. 21, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Josh Appel for Unsplash

Dive Brief:

  • Data privacy watchdogs have handed out 114 million euros, about $126 million, since the enactment of General Data Protection Regulations (GDPR), according to research from law firm DLA Piper. 
  • Twenty-eight members of the European Union reported more than 160,000 breach notifications since May 25, 2018. The report includes Norway, Iceland and Liechtenstein​, which are part of the European Economic Area, though not EU members. Compared to the time between May 25, 2018 through Jan. 27, 2019, daily breach notifications increased from 247 to 278. 
  • DLA Piper warns "it would be unwise to assume that low and infrequent fines" will be common. Regulators are increasing their staff to review cases. The law expects to see "multimillion euro fines" in 2020. 
Naomi Eide, CIO Dive/data from DLA Piper
 

Dive Insight:

Not all breaches under GDPR are considered "reportable." Breaches that don't risk consumer rights or freedoms, or caused by inappropriate security use or of a breach, can go unreported.

Data breaches are only a small aspect of data privacy-related fines. For example, Austria received a 4,800 euro fine because of "unlawful" closed-circuit television system that led to "excessive" sidewalk surveillance, according to DLA Piper's 2019 report

Last year Google made history with a "game changing" $57 million fine, which remains the largest fine under GDPRFrench regulators said the company failed to convey what consumer data it collected, why it was processed and how long it was stored. Sufficient consumer consent was also missing from its practices, regulators claimed. 

The lack of transparency in Google's personalized ads business led to its fine and set the tone for other companies with data infringements that were deemed "intentional." 

Regulators have to answer several questions before calculating fines including: 

  • What was the nature of the infringement, intentional or negligent? 

  • How many consumers were impacted? What type of data was exposed? 

  • How long did the violation occur?

  • What was the purpose of the data processing? 

  • What actions were the actions taken post-mortem, including cooperation with regulators? 

  • Were the preventative measures in place before the incident?  

  • Does the company have a history of data privacy infringements?

Companies concerned with compliance are reserving funds for potential fines. Almost three-quarters of businesses have a budget dedicated to GDPR-related fines, according to research from Ponemon Institute.

Companies with incidents prior to May 25, 2018 aren't insulated from GDPR penalties. Retroactive fines are possible under the "processing" mandate. For example, the United Kingdom handed Equifax a $658,000 fine in September 2018 despite its breach occurring in 2017.

Filed Under: IT Strategy, Security

Editors' picks

Company Announcements

View all | Post a press release
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell