£100m Fines Across Europe In The First 18 Months of GDPR
It has been reported that since the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, £100m of data protection fines have been imposed on companies and organisations across Europe.
The Picture In The UK
The research, conducted by law firm DLA Piper, shows that the total fines imposed in the UK by the ICO stands at £274,000, but this figure is likely to be much higher following the finalising of penalties to be imposed on BA and Marriott. For example, Marriott could be facing a £99 million fine for data breach between 2014 and 2018 that, reportedly involved up to 383 million guests, and BA (owned by IAG) could be facing a record-breaking £183 million for a breach of its data systems last year that could have affected 500,000 customers.
Also, the DLA Piper research shows that although the UK did not rankly highly in terms of fines, the UK ranked third in the number of breach notifications, with 22,181 reports since May 2018. This equates to a relative ranking of 13th for data breach notifications per 100,000 people in the UK.
Increased Rate of Reporting
On the subject of breach notifications, the research shows a big increase in the rate of reporting, with 247 reports per day over the six months of GDPR between May 2018 and January 2019, which rose to 278 per day throughout last year. This rise in reporting is thought to be due to a much greater (and increasing) awareness about GDPR and the issue of data breaches.
France and Germany Hit Hardest With Fines
The fines imposed in the UK under GDPR are very small compared to Germany where fines totalled 51.1 million euros (top of the table for fines in Europe) and France where 24.6 million euros in fines were handed out. In the case of France, much of the figure of fines collected relates to one penalty handed out to Google last January.
Already Strict Laws & Different Interpretations
It is thought that businesses in the UK having to meet the requirements of the already relatively strict Data Protection Act 1998 (the bones of which proved not to differ greatly from GDPR) is the reason why the UK finds itself (currently) further down the table in terms of fines and data breach notifications per 100,000 people.
Also, the EU's Data Protection Directive wasn’t adopted until 1995, and GDPR appears to have been interpreted differently across Europe because it is principle-based, and therefore, apparently open to some level of interpretation.
What Does This Mean For Your Business?
These figures show that a greater awareness of data breach issues, greater reporting of breaches, and increased activity and enforcement action by regulators across Europe are likely to contribute to more big fines being imposed over the coming year. This means that businesses and organisations need to ensure that they stay on top of the issue of data security and GDPR compliance. Small businesses and SMEs shouldn’t assume that work done to ensure basic compliance on the introduction of GDPR back in 2018 is enough or that the ICO would only be interested in big companies as regulators appear to be increasing the number of staff who are able to review reports and cases. It should also be remembered, however, the ICO is most likely to want to advise, help and guide businesses to comply where possible.