European data regulators have now issued fines totalling €114m (£97m) under GDPR, but there are far more to come, according to a report published today.
GDPR, which is in force across the 28 Member States of the European Union, as well as Norway, Iceland and Liechtenstein, has already seen 160,000 data breach notifications since it came in on 25 May 2018.
The report, published by DLA Piper, has found that these notifications have begun to translate into serious financial penalties. These have been lead by France, Germany and Austria, which have issued a total of €51m, €24.5m and €18m in fines under GDPR respectively.
The UK is comparatively lower on the list, placed at just thirteenth, however that will change soon. While the UK Information Commissioner’s Office has issued an intention to fine Marriott £99m and British Airways £183m, the final decision will not be made until 31 March 2020. As a result these have not been included in the total announced today.
Much of France’s total fines have been issued to a single company, Google, which was slapped with a €50m fine for transparency and consent infringements.
However, despite the high numbers, GDPR remains a very young law, and it is widely expected that the worst is still to come.
“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement,” said Ross McKean, a partner at DLA Piper.
“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
GDPR fines “should serve as a wake-up call”
For others in the industry, the research serves to highlight how many companies need to step up their game when it comes to GDPR, as despite the risk of fines, many are still not complying with the law. And for Wayne Johnson, CEO and co-founder of Encompass Corporation, this is a particular concern in the financial sector.
“It’s no surprise that data privacy watchdogs are gearing up to make full use of their expanded powers after collecting around £100m in fines for data violations. Since the arrival of the GDPR, large companies and banks have been scrambling to implement effective policies to adhere to the legislation, with mixed results so far,” said Johnson.
“This news should serve as a wake-up call for financial services organisations to ensure full compliance with existing and incoming legislation. With new figures revealing that banks were hit with over £6bn globally for breaches of anti-money laundering regulation, the importance of adhering to strict compliance rules cannot be underestimated.
“Moving forward, the ability to know your customer and manage their data proficiently should be a top priority for banks of all sizes.”