We blogged back in January about how GDPR fines were starting to bite. Now, drawing on data from GDPR Enforcement Tracker, we take a first look at the fines that have been issued under GDPR specifically for data breaches.
The database lists 70 fines related to data breaches, ranging in value from €300 to €10m. 21 countries have levied fines so far, with the greatest number being imposed in Romania (15 fines). Not all entries include the number of people affected by breaches but, from the data available, there is certainly a significant spread in scale from incidents only affecting 1 or 2 individuals to an incident where the records of 6 million people were compromised.
The mean value of approximately €250 000 is very skewed by a few large fines, so it is perhaps more informative to look at the median value of around €25 000. This is perhaps a surprisingly low figure given the maximum fines of 4% of global turnover allowed under GDPR; but probably reflects a sensible and pragmatic application of the new powers by the various regulatory authorities. As ever though, it is important to remember that fines may only be a small fraction of the total costs to the company of a data breach: the IBM/Ponemon Institute 2018 Cost of Data Breach Survey found that the largest component of the cost of a data breach was lost business.
(At the time of writing we are still waiting for the UK Information Commissioner’s Office (ICO) to confirm the level of fines that will be imposed on British Airways and Marriott International. The ICO announced its intention to fine these firms £183m and £99m respectively but neither of these amounts have yet been finalised.)