The GDPR Enforcement Tracker website shows a dramatic increase in the number of fines being issued for data breaches in recent months. Across Europe only 75 fines were levied in the first two years after GDPR came into force, or about 3 fines per month. However, in the last 9 months a further 72 fines have been issued and half of these were in the last 3 months! Indeed the Swedish regulator issued 8 fines, totalling €6.8m, in December 2020 alone.
Romania and Spain remain the most active regulators, with 28 and 16 fines respectively; whilst Italy has moved into third place with 12 fines. Overall, across the 27 countries of the EU and the UK, 24 countries have now issued at least one fine under Articles 32, 33 or 34 of GDPR.
The UK remains a bit of an outlier, compared with other large economies, with the Information Commissioner’s Office (ICO) having only issued 4 penalties so far. However, these include 3 out of the “Top 10” largest fines for data breaches, namely:
- A £20m fine on BA;
- A £18.4m fine on Marriott International; and
- A £1.4m fine on Ticketmaster UK.
It is not clear why the ICO is taking a different approach to the majority of EU regulators; and whether this will continue from October 2021 under the next Information Commissioner. It is also not clear whether the recent increase in the number of fines is a temporary blip, or represents a new normal. Regardless of these unknowns, the fact remains that data breaches are extremely costly; both in financial and reputational terms. Follow the link to the Information Security section of our website to see how we can help you to minimise the risk of an information security incident.