GDPR Regulators Set To Enforce Harsher Fines For Non-Compliance

Since GDPR came into force eight months ago over, official regulators have been notified that over 59,000 GDPR data breaches have taken place across the EU.

It has been six months since General Data Protection Regulation (GDPR) was brought into force on May 25th 2018.

Under the new regulations, any firm that is breached and the data they hold becomes vulnerable have 72 hours to notify a regulator after the time of discovery. Failing to do this could result in mammoth fines of up to £8.5 million or 2% of the company’s worldwide annual turnover.

A recent survey, carried out by global law firm DLA Piper, has found that the 59,000 personal data breaches ranging from severe cyber attacks affecting millions of individuals and their sensitive data to minor email breaches with messages being sent to the wrong person have been notified to EU regulators.

Up to now, the survey claims that fines imposed have used the pre-GDPR system with regulators using discretionary powers to fine companies and individuals at a lower rate.

The French data protection authority, CNIL, have issued the most extensive fines to date with Google being charged in excess of £43 million for processing personal data without valid authorisation.

The German data protection authority (LfDI Baden-Württemberg) have issued over 62 fines including a £17,000 fine for causing a data breach by failing to hash employee passwords and £68,000 after a company published health data without appropriate permissions.

According to the data, the Netherlands, Germany and the UK were responsible for the majority of notified data breaches in the eight months since GDPR came into force. The Netherlands’ EU regulators were notified of 15,400 data breaches, Germany were responsible for 12,600.

The UK has amassed a total of 10,600 notified breaches since May 24th of last year. This equates to over 1,000 notified breaches per month and over 42 per day.

This places the UK as 10th in regards to data breaches per capita, with The Netherlands, Ireland and Denmark guilty of the most breaches per capita.

The UK has notified appropriate GDPR regulators of 16.3 data breaches per 100,000 people whilst the Netherlands is leaking sensitive data at a rate of 89.8 per 100,000 people, shortly followed by Ireland’s 74.9 per 100,000 people.

The DLA Piper GDPR Data Breach Survey commented: “It is still very early days for GDPR enforcement, with only a handful of fines reported across the EU. With the exception of the recent €50 million fine imposed on Google, so far the levels of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose.

“However, we expect that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications. It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines, and some regulators have already said they will do so. Competition regulators are not known to shy away from imposing hefty fines and have imposed some eye-catching multibillion-euro fines recently on large tech companies.”

Failing to protect client data that is held by UK law firms could well become extremely expensive, both financially and reputationally, as EU authorities look to impose harsher sanctions in line with the GDPR fines that have, until now, been overlooked by regulators.

Cyber security considerations should become a priority for law firms that look to defend their online presence against the persistent and sophisticated threat from cyber criminals whilst also ensuring they are GDPR compliant.

Many small to medium firms have started utilising the cyber accreditation IASME Governance, which looks at ensuring all devices connected to the internet are appropriately safeguarded and all firewalls/online defences are in place by issuing the government backed Cyber Essentials accreditation as well as considering GDPR by completing a readiness assessment within the IASME accreditation procedures.

Today’s Conveyancer have been proud to broadcast daily news alongside Today’s Legal Cyber Risk which publishes daily content on all pertinent issues regarding cyber attacks, data breaches and the impact on the legal sector. Click here to sign up for our free weekly newsletter.

The report indicates that EU regulators are going to enforce stricter regulations and sanctions for non-compliance in relation to GDPR, is your firm doing everything it could to ensure its data and sensitive client data are adequately protected?

Today's Conveyancer