Data protection regulators have issues €114 million in fines so far under the 2018 General Data Protection Regulation.
The latest findings from DLA Piper found that over 160,000 data breach notifications have been reported across the European Union since the regulation came into effect on May 25, 2018.
Geographically speaking, fines were the highest in France (€51m), Germany (€24.5m) and Austria (€18m). Countries with the largest number of data breaches notified to regulators include the Netherlands (40,647), Germany (37,636) and the UK (22,181).
The largest GDPR to date stands at €50m, which was imposed by the French data protection regulator on Google. In this instance, the tech giant was fined for alleged infringements of the transparency principle and lack of valid consent.
In July 2019, the UK's Information Commissioner's Office (ICO) published intentions to fine British Airways £183.39m and Marriot Hotels £99m as a result of data breaches that hit the organizations back in 2018. Neither fine has been issued at this time.
The report also found that the breach notification rate has increased by over 12% since last year's report and regulators have been busy enforcing their new powers to hold organizations accountable or risk heavy fines.
The €114m in fines issued since GDPRs official enactment is relatively low compared to the potential maximum fines that can be issued under the new regulation, leading many to believe that we're in the early stages of enforcement.
Under GDPR, potential fines of up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year can be issued. To avoid these costly fines and public backlash, organizations should get their security defenses in check and expect to see more multi-million Euro fines being issued over the span of 2020 as regulators ramp up their enforcement activity.
NNT also recommends regularly patching systems to minimize risk and eliminate security vulnerabilities, ensure that the proper access controls are in place (learn more about CIS Control 14: Controlled Access Based on the Need to Know), and only collect and store information that's absolutely critical to business operations.