The number of financial penalties imposed to resolve violations of the General Data Protection Regulation (GDPR) in the EU increased significantly in 2020. According to figures released by the law firm DLA Piper, since January 28, 2020, €158.5 million in penalties have been sanctioned, bringing the total up to €272.5 million. The total penalties for 2020 are 39% higher than the total for the 20 previous months, dating back to when the GDPR took effect.
Italy has been the most active EU member state having imposed €69,328,716 in financial penalties to resolve GDPR violations, with Germany in close second with $69,085,000 in fines, followed by France (€454,436,300) and the United Kingdom (€44,221,000). While many of these financial penalties were imposed as a result of data breaches, penalties have also been sanctioned when companies have been found not to be in full compliance with the requirements of the GDPR.
The report shows that data breach notifications in 2020 were up 19% compared to 2019. 121,165 breach notifications were sent to data protection authorities in 2020 compared to 101,403 in 2019. In total, 281,000 data breaches have been reported since May 25, 2018 when the GDPR took effect.
Germany tops the list for reported breaches with 77, 747, followed by the Netherlands with 66,527, and the United Kingdom with 30,536. When the figures are adjusted to take population into account, Denmark fared the worst, followed by the Netherlands, and Ireland.
It should be noted that there are some caveats with these figures. Some countries have imposed GDPR fines but have not disclosed the exact amount, so the penalty amount needed to be estimated, and not all GDPR financial penalties are reported publicly.
At the bottom of the list in terms of fines are Lithuania (€80,759), Austria (€70,950), Iceland (€29,588), Liechtenstein (€4,434), and Estonia (€408), and in terms of the number of reported breaches the bottom 5 are Lithuania (310), Latvia (274), Croatia (231), Cyprus (187), and Lichtenstein (50).
The figures in the report suggest that companies in some countries have been better at preventing data breaches and have ensured they are fully compliant with all requirements of the GDPR; however, that is not necessarily the case.
“These wide variations illustrate that although data protection laws within the EEA and the U.K. all derive from the same core GDPR regulation, the compliance culture of organizations and the interpretation and enforcement practice of the different data protection supervisory authorities varies very significantly,” said DLA Piper in its report.