GDPR claims €114m in fines in under two years - with more to come this year

European data protection authorities have received more than 160,000 data-breach notifications since GDPR came into force in May 2018

Data protection authorities across the European Union and European Economic Area have fined organisations a total of €114 million over data breaches since the introduction of GDPR.

That's according to law firm DLA Piper [PDF] in its latest annual Data Breach Report, based on an analysis of 160,921 personal data breaches notified to data protection authorities across Europe - and breach notifications appear to be going up, not down, it noted.

"For the period from 25 May 2018 to 27 January 2019 there were on average 247 breach notifications per day. For the period from 28 January 2019 to 27 January 2020 there were on average 278 breach notifications per day (a 12.6 per cent increase)."

The Netherlands, Germany and the UK accounted for 40,647, 37,636 and 22,181 reported data breaches respectively.

The fines proposed or levied by data protection authorities across the continent are not necessarily published

Breach notifications typically aren't openly published - and most are thoroughly trivial and precautionary - but even the fines proposed or levied by data protection authorities across the continent are not necessarily published, either.

Nevertheless, DLA Piper warns, very few fines have so far been levied under GDPR.

"The total (reported) fines for the full 20-month period across all countries surveyed was just over €114 million (about £97 million), which is quite low given that supervisory authorities enjoy the power to fine up to four per cent of total worldwide annual turnover of the preceding financial year.

"France, Germany and Austria top the table for the total value of GDPR fines imposed to date with €51 million, €24.5 million and €18 million respectively."

The Information Commissioner's Office (ICO) in the UK may catch up later this year when it finalises its first GDPR-era fines, totalling £282 million. "We expect to see more multi-million Euro fines in the coming year," the report added.

France, Germany and Austria top the table for the total value of GDPR fines imposed to date

It continued: "Many organisations and, indeed, many supervisory authorities are struggling with how to determine when a breach is or is not notifiable given the vagaries of the legal trigger for notification - where there is 'a risk' to the rights and freedoms of natural persons."

This is reflected, for instance, in the decision of currency exchange giant Travelex not to notify the ICO of its recent ransomware attack, which has so far kept many of its IT systems down for 21 days, and counting. It has argued that no sensitive customer data has been compromised as a result of the attack. The ICO may take a different view.

Organisations are obliged to notify national data protection registrars of data breaches potentially affecting personal information within 72 hours - at the latest - of discovery.

There is, though, evidence that organisations are pushing back strongly against data protection registrars' stiff fines. The ICO in the UK, for example, has extended its regulatory processes involving British Airways and Marriot until the end of March 2020.

The only fine the ICO has carried through so far is the £275,000 fine levied on Doorstep Dispensaree

The ICO has proposed a fine of £183 million on British Airways and £99 million on hotel chain Marriott over data breaches at their respective organisations.

However, the only fine the ICO has followed through with so far is the £275,000 fine levied on London-based pharmacy Doorstep Dispensaree in December last year.

The EU's General Data Protection Regulation (GDPR) came into force on 25^th May 2018 with the aim of forcing organisations to take data protection more seriously - with the threat of fines of up to four per cent of global turnover the stimulus for driving improved IT security and privacy policies.