€ 114 million of GDPR fines were imposed, and over 160,000 data breach notifications occurred according to DLA Piper Data Breach Report 2020.
DLA Piper’s GDPR Data Breach Survey 2020 was run with the collaboration of the colleagues of the global DLA Piper privacy team and reported interesting findings on the value of fines and the number of data breach notifications outlined below:
€ 114 million of fines since the GDPR effective date
Data protection regulators have imposed € 114 million (approximately $ 126 million / £ 97 million) in fines under the GDPR regime for a wide range of GDPR infringements, not just for data breaches. France, Germany, and Austria top the rankings for the total value of GDPR fines imposed with just over € 51 million, € 24.5 million, and € 18 million, respectively.
The highest GDPR fine to date was € 50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for a data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totaling £ 282 million although neither of these were finalized as at the date of this report.
160,000 data breach notifications and the numbers are increasing
The rate of breach notification has increased by over 12% compared to last year’s report, and regulators have been busy road-testing their new powers to sanction and fine organizations.
Data relating to Italy was stable. 1,886 data breach notifications in total were performed, while the previous report that related to data from the GDPR effective date to January 2019 showed 610 notifications.
My personal view on the data
Significant GDPR fines were recently issued in Italy which bring the total amount of fines issued in the country to € 11.55 million. However, further fines are likely to be in the pipeline. The board of the Garante is about to be replaced, and the newly appointed board will have to deal with proceedings that have been pending for quite a long time. Therefore, the scenario might change in the coming months.
As to the number of data breach notifications, my personal view is that such data show a different approach from data protection authorities. In countries like Italy, each data breach notification is reviewed, the regulator is asking follow-up questions, imposing the communication to the affected individuals, and potentially starting an investigation.
In other jurisdictions where the number of data breach notifications is considerably high, companies do not carry out an in-depth assessment as to the need to perform a GDPR data breach notification under article 33. There is the concept of “preventive” notification which is performed in any case when there are no elements to assess whether a notification is actually due. Such an approach risks to block the operation of data protection authorities, which cannot review 40K+ notifications and this approach cannot be in line with the principle of accountability set out by the GDPR.
On the topics mentioned above, you may find interesting the articles “Are privacy fines massive under the GDPR?” and “Top 3 lessons learned on how to be ready for handle a data breach“. And don’t miss DLA Piper Data Breach Report 2020.