Regulators have imposed GDPR fines of €114m so far while the vast majority of companies still admit they are yet to become fully compliant, according to two pieces of research on the impact of The EU's new privacy regime.
According to the DLA Piper GDPR Data Breach Survey 2020, France, Germany and Austria top the rankings for fines - with penalites of €51m, €24.5m and €18m respectively - while the countries generating the most data breach notications were The Netherlands (40,647), Germany (37,636) and the UK (22,181).
Meanwhile, a survey of Irish companies jointly published by McCann FitzGerald and Mazars found only 8% of the respondents believing they are ‘fully compliant’ with GDPR.
According to the DLA Piper research, the rate of data breach notifications has increased by more than 12% over the last year with the total number of breaches reported climbing to 160,000.
France has imposed the highest GDPR fine to date, imposing a €50m penalty on Google for alleged infringements of the transparency principle and lack of valid consent.
The UK ICO published two notices of intent to impose fines in July 2019 totalling £282 million, against British Airways (£183 m) and Marriott International (£99m), but neither has been finalised to date.
Patrick Van Eecke, chair of DLA Piper's international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years”.
The report by McCann FitzGerald and Mazars, found that almost three-quarters (71%) of companies - an increase on the 51% reported in 2018 - say that they reported a personal data breach to the Data Protection Commission (DPC), or another supervisory authority, last year. Only 8% believe they are ‘fully compliant’ with GDPR.
And companies are falling down on leading GDPR efforts. Only 69% of organisations say they carry out periodic reviews of their records of processing activities, while around one-fifth (18%) have not defined internal roles and responsibilities for data protection. Less than half (44%) say their CEOs are strongly engaged on GDPR compliance and data privacy.
Paul Lavery, a partner and head of technology and innovation at McCann FitzGerald, said: “It is clear that a majority of organisations have some work to do to achieve compliance with GDPR. Given the substantial fines that may be levied for GDPR breaches, it is crucial that organisations get internal policies and procedures on GDPR right to protect themselves from this risk.”