The UK ranked second when it came to the total value of GDPR (General Data Protection Regulation) fines issued by the different data protection regulators in Europe last year. That is according to a new report by financial experts Finbold. The findings show that while Italy tops the list with the highest fines for cyber incidents at €58.16 million, this was shared between 34 violations. The UK accounts for €43.9 million in penalties, but only from three violations (Marriott, British Airways and Ticketmaster)
What else do the figures say?
- In total, European data protection regulators issued €171.3 million in GDPR fines in 2020.
- The most common GDPR violation across Europe was insufficient legal basis for data processing.
- Together, Italy and the UK accounted for 59.5% of all EU GDPR fines.
- Germany came in 3rd (€37.39 million) while Sweden (€14.27 million) and Spain (€8 million), completed the top five list.
- The biggest data breach fine was issued in Italy against fashion retailer H&M Hennes & Mauritz AB (H&M) at €35.25 million.
The UK’s biggest fine was issued against British Airways (€22.04 million) for a breach that happened in 2018. This was also the third-highest fine in Europe.
The UK is still bound by the GDPR, despite leaving the EU.
What can we say about the cyber incident fines?
Commenting on the findings, Kingsley Hayes, head of data breach at Keller Lenkner UK, said:
“After a slow start following the implementation of the GDPR two years ago, the various European regulators are now getting serious about big data breaches. In this period, privacy violations have rarely been out of the headlines, so today it is unlikely that any organisation would get away with pleading ignorance when it comes to the importance of data protection.
“However, it is not yet proven that large organisations appreciate the need to enact better data security measures. Indeed, earlier this month it was revealed that T-Mobile had suffered its fourth hack in less than three years. So, claims that companies ‘take the security of your information very seriously’ are not always proving to be true. It is good news for consumers that the ICO, and other European regulators, are showing a willingness to issue substantial financial penalties against companies that do not protect consumer data.”
Matthew Evans, expert data breach lawyer at Keller Lenkner UK, added:
“Following the British Airways fine in 2020, it was clear that the ICO penalty reflected the serious nature of the data breach and demonstrated to all how seriously they should take and follow GDPR rules and guidelines. Indeed, while the original fine was reduced from £183 million – partly because of the economic impact of Covid-19 on BA – this was still the largest fine ever imposed by the ICO.
“Today, investing in up-to-date, robust security systems and putting in place risk management practices such as cyber-attack simulations must be introduced by all organisations handling large amounts of personal data. Equally, they should have in place a rapid written response to such attacks. If not, we are only going to see more and more sizeable fines issued by the regulators over the next few years. Furthermore, when you consider the financial impact of data breach compensation on top of these fines, large-scale breaches could prove to be very costly indeed.”