A study conducted by Precise Security shows that the Netherlands, Germany and the United Kingdom are the countries with the most GDPR Data Breaches in the EU, totaling more than 100,000 reported cases, a figure that is higher than the cases reported in the other member states combined.
The Netherlands and Germany lead in this standing almost head-to-head, with 40,600 and 37,600 data breaches respectively, while the United Kingdom comes in third with 22,100 reported cases. The top 10 is completed by Ireland (10,500 cases), Denmark (9,800), Poland (7,400), Sweeden (7,300), Finland (6,300), France (3,400) and Norway (2,800).
GDPR (General Data Protection Regulation) was introduced by the EU in May 2018, with more than 160,000 data breaches being reported since according to the DLA Piper GDPR Data Breach Survey 2020. The rising number of cases goes to show how valuable personal data is and the lengths hackers or otherwise malevolent organizations are willing to go in order to acquire this information. Of course, not all data breaches are due to such activities, with many well-intentioned organizations still struggling to understand the new standards of data privacy and thus failing to comply with them, despite huge potential fines.
Top 10 GDPR-breaching countries: EUR 48 million worth of fines in just 3 months
According to data from the same study, in only 3 months (November, December 2019, and January 2020), increased with EUR 48 million, the total figure of GDPR related penalties reaching EUR 450 million since its introduction in May 2018. Almost 70% of the total figure was imposed by the UK’s Information Commissioner’s Office – EUR 314.9 million, the bulk of this sum being directed to just two organizations: British Airways (EUR 204 million – the highest data breach penalty in the world) and Marriott International, Inc (EUR 110 million). Google closes the top 3 in GDPR penalties, having received a EUR 50 million fine from France’s data protection regulator, CNIL.
Later edit: ICO’s fines against British Airways and Marriott International, Inc are actually a “notice of intent” and thus are not final, the two companies currently fighting to overturn, or at least decrease, the penalties. This makes Google’s EUR 50 million fine from CNIL the largest final and binding fine ever issued for a GDPR related breach, until a final resolution will be reached in ICO’s two high-profile cases. You can track all GDPR fines on Privacy Affair’s GDPR Fines Tracker & Statistics.