According to DLA Piper‘s latest GDPR Data Breach Survey, data protection regulators have imposed €114 million (approximately $126 million or £97 million) in fines under the GDPR regime for a wide range of GDPR infringements, not just for data breaches.
France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over €51 million, €24.5 million and €18 million respectively. The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.
“GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations,” says , Ross McKean, a partner at DLA Piper.
“The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers.”
The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for a data breach.
Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling £282 million (approximately €329 million) although neither of these were finalised as at the date of this report.
Commenting on the report, Michael Magrath, Director, Global Regulations & Standards, OneSpan says: “The number of data breaches reported in the EU is quite alarming, but not surprising. According to DLA Piper, 78,283 (49%) of the reported breaches have come from two member states, Netherlands and Germany. That leads me to think that the 160,000 figure is likely a lot larger, with many breaches going unreported.
GDPR was well conceived and has served as a model for numerous other data protection laws including the California Consumer Privacy Act (CCPA), Brazil’s General Data Protection Law (LGPD) and Thailand’s Personal Data Protection Act (PDPA).
However, GDPR lacks the regulatory technical standards that other regulations and directives, like PSD2 have required which may leave EU citizens exposed. For example, GDPR does not prohibit organizations from using a static user name and password to authenticate users to access sensitive personally identifiable information, while PSD2, when fully enforced, will bring strict requirements for strong authentication for banking and e-commerce.”
The post European GDPR fines against data breaches much higher than expected appeared first on Payments Cards & Mobile.