European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases – but watchdogs have said they're just warming up.
An assessment from the European Data Protection Board (EDPB), which is made up of regulators across the region, found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.
Vivienne Artz, chief privacy officer of market data purveyor Refinitiv, cited the report (PDF), published at the end of February, at a panel event assessing the first year of GDPR at a data protection conference in London this week run by the International Association of Privacy Professionals.
About 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Some 52 per cent of the overall cases have already been closed, with 1 per cent facing a challenge in national courts.
Artz said that the total fines came to €55.96m – which she observed seemed like a lot before you realise that almost all of it comes from French data watchdog CNIL's €50m fine for Google.
Indeed, the figure emphasises the size of CNIL's fine – which was the first it had handed out under GDPR – and the body's director of the rights protection and sanctions directorate, Mathias Moulin, was on the panel to set out its reasoning.
He said the breach was "massive and highly intrusive", and that the fine had been based on five factors. These included the type of violation, its scale – it was continuous, rather than a one-off, and affected lots of people and massive amounts of data – and the size of the company.
But given the huge range of potential fines – which has risen from "up to £500,000" (in the UK) to "up to" €20m or 4 per cent of annual turnover – the EDPB has also tasked data protection agencies with "harmonising" their approaches.
At the event, Stephen Eckersley from the UK Information Commissioner's Office revealed that his organisation was working with the data protection agencies in the Netherlands and Norway to establish a "matrix" for calculating fines. This won't be public-facing, he said, but will instead be a "toolkit" for watchdogs.
As for the ICO's enforcement actions, he said that there were some GDPR cases in progress, but that the past year had been mostly focused on legacy investigations, with fines handed to Uber, Facebook and Equifax.
Even CNIL's Moulin, said that last year "should be considered a transition year" for GDPR, as national regulators had to focus on finalising their rules and approaches, and spent most of their time tying up probes under the previous regime.
One thing that did change immediately under GDPR, if not the fines, was the number of incident reports. This was particularly so for companies turning themselves in over data breaches.
Eckersley said there was a "massive increase" in reports of data breaches in the first month at 1,700. This has levelled out a little, but there are still about 400 coming in a month. Overall, he expects the total to reach about 36,000 this year – up from 18,000 to 20,000 previously.
In order to deal with the increased demand – and organisations' propensity to report "just in case" – the ICO has set up a dedicated team for personal data breaches, so data controllers have a single point of contact to help them assess whether to make a formal notification.
The panel also noted that, while data breaches are more likely to hit the headlines, there are many more complaints coming in about other aspects of privacy regulations. For instance, Eckersley said that about half of the complaints relate to the way subject access requests have been handled. ®