Total payments so far are €114 million. But that total is likely to soar and the UK’s data protection regulator has threatened fines totalling €329 million – though they have not yet been finalised and imposed.
Law firm DLA Piper says the Netherlands reported most data breaches between 25 May 2018, when the GDPR law came into force, and this month, with 40,647 incidents filed. Germany reported 37,636 and the UK 22,181.
The GDPR law covers the European Economic Area (EEA), which includes all 28 Member States of the EU plus Norway, Iceland and Liechtenstein. The UK, due to leave the EU at the end of January, has enforced GDPR-strength laws.
The law firm notes that the UK’s Information Commissioner’s Office (CO) “made global headlines when it announced notices of intent to fine companies from the airline and hospitality industries £183 million (about €213 million/$238 million) and £99 million (about €115 million/$129 million) respectively for alleged poor security arrangements and failures to carry out appropriate due diligence”, though it points out: “At the time of writing neither of these fines have been finalised”.
The UK ICO “has so far only issued one relatively small fine under GDPR for £275,000 in December 2019 despite having received 22,181 personal data breach notifications to date”, says DLA Piper.
