Since the General Data Protection Regulation (GDPR) came into effect in May 2018, authorities have received more than 160,000 notifications of data breaches. The number of breaches and other security incidents being reported is also on the rise.
DLA Piper found that the GDPR has resulted in an increase of breach notifications. In the time since the GDPR came into force, the average has been 278 notifications a day.
"GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations," said Ross McKean, partner at DLA Piper, specialising in cyber and data protection.
This brings the total number of GDPR fines paid to date to six, with a total value of €114m. The largest GDPR fine paid to date is the €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
The UK Information Commissioner's Office has fined two organisations for data-protection infringements, but the organisations have not yet come to an agreement over the payments.
IIn July of last year, British Airways was fined 183 million pounds following a cyberattack in which the personal details of around 500,000 customers were stolen.
The ICO concluded that there was a data breach at British Airways due to their poor security arrangements. The airline was not happy with the fine, stating they were surprised and disappointed.
The ICO fined Marriott Hotels £99m for a data breach that exposed the personal details of 339 million guests around the world. The breach occurred when the company's Starwood reservation system was hacked in 2014.
Hackers infiltrated the computer system of Starwood Hotels in 2014. The hotel chain was subsequently purchased by Marriott in 2016, but the breach wasn't discovered and fixed until 2018. Marriott has been fined by the UK's Information Commissioner's Office (ICO) for the breach. A statement from Marriott at the time of the penalty notice said the company was "deeply disappointed" by the proposed fine.
Both Marriott and British Airways have decided to appeal their fines.
Organisations that are found to be irresponsible with security and have a data breach can be fined up to four percent of their annual turnover. Even though this is a possibility, it is believed that only one-third of organisations are fully GDPR-compliant.
McKean said that the total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement.
"We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity."