It’s been more than three years since GDPR came into effect. The EU-wide regulation, which controls how businesses collect, store and share personal information, has resulted in hundreds of fines all across the world, but only five in the UK.
This is according to a new report from cybersecurity company ESET, based on analysis of all the fines issued by national data watchdogs as a result of GDPR breaches.
The company found that, despite being among the lowest in the number of fines, the UK is the second-highest for average fine value ($10 million), outdone only by Luxembourg.
Since May 2018, more than 650 fines have been issued, the company further found, totalling more than $320 million. With an $875 million fine, Amazon was awarded the heftiest penalty, followed by $58 million for Google and $41 million for H&M.
With the exception of Amazon, most of the fines were handed out due to “insufficient legal basis for data processing”. In other words, companies couldn’t prove they really needed the data they were processing. More than 270 businesses fell foul to this rule, and it was also the rule responsible for both the highest average fine, and the largest amount of total GDPR fines paid.
The second most common reason was “insufficient technical and organizational measures to ensure information security”. More than 150 businesses violated this GDPR rule, including British Airways and Marriott International.
With 273 fines, Spain was the country to have issued the most GDPR penalties, while the Netherlands, Isle of Man and Malta are at the bottom of the list, with each country having issued just one fine.
- These are the best cloud storage solutions on the market right now