An Empirical Analysis of GDPR’s Fines to Date (Feb 2020) and What It Means for Organizations
Update (25 Jan 2021):
(1) The goal of this paper is to help organizations understand the impact of GDPR’s fines, and that’s best achieved through the latest data. While this paper’s conclusions are still accurate and worth reading, I encourage readers to review DLA Piper’s January 2021 analysis for the most up-to-date information. It can be accessed here: https://www.dlapiper.com/en/uk/news/2020/01/114-million-in-fines-have-been-imposed-by-european-authorities-under-gdpr
(2) The fine amounts levied against Marriott Hotels and British Airways were ultimately reduced by ~90 percent, with the ICO citing the impacts of the pandemic on these companies. This does render the numerical analyses out of date; however, the main conclusions and other analyses in this paper are still valid.
Until 8 July 2019, the average GDPR fine was US$5,600, but on that day, everything changed. The UK’s enforcer of GDPR (the ICO) announced on July 8 that British Airways would be fined a record £183M (US$226M) for a data breach involving 500,000 individuals (2.5% of their total global revenue). The next day, the ICO announces another fine — this time, £99M (US$120 million) against Marriott Hotels (~3% of their total global revenue).
GDPR’s potentially material fines are forcing not just British Airways or Marriott to put a greater emphasis on security & privacy, but on nearly every organization that handles PII (either directly themselves or on behalf of a client). No one wants to lose up to 4% of their global revenue.
While there have been articles published about the major fines, there hasn’t been an analysis of all known fines and the associated consequences for organizations. Having a clear, predictable understanding of how much EEA authorities will fine for violating GDPR enables organizations to make better investments. For example, an organization could put themselves at risk if they’ve prepare for a 1% of total revenue fine but are, in reality, at risk of a 3.5% fine. Having accurate information would enable that company to appropriately invest their limited resources towards a more mature ISMS (information security management system).
To assist organizations in better understanding the risks of the GDPR’s fines, we analyze all publicly available fines (as of 29 Jan 2020) and publish our findings in this paper. Our analysis considers quantitative and qualitative data, such as the amount of fines, reasons why the fines were issued, etc. We conclude by offering actionable advice that organizations can consider as they determine how to better comply with GDPR.*
Table of Contents
- Executive Summary
- Methodology
- How Data Protection Authorities (DPAs) Determine Fine Amounts
- Detailed Data Analysis
- Limitations & Next Research Steps
- Conclusion
- Sources & Legal disclaimer
Executive Summary
GDPR has made a significant impact on organizations, their vendors and fourth-parties. Having a clear, predictable understanding of how much and the reasons why EEA authorities are issuing fines for violating GDPR enables organizations to make better decisions on how to invest their limited resources.
Our analysis uncovered seven main findings:
- Fines have increased over time, with the average fine now in the millions of euros
- Fine amounts can vary greatly by country, with the UK, France, Italy, Austria and Germany issuing the largest fines (on average)
- Including the UK, 68% of orgs violating GDPR can expect to be fined €6–245 million (with a mean of €105M) per violation
- Excluding the UK, 68% of orgs violating GDPR can expect to be fined €0–140 million (with a mean of €20M) per violation
- Most organizations violating GDPR are found to be doing one, if not both, of the following:
i. Inadequate protecting PII from unauthorized disclosure, loss or alteration (i.e., data breach)
ii. Inappropriately obtaining consent from individuals (which requires the terms & conditions be communicated clearly and in plain language)
6. Fine amounts seemed to not be directly correlated to how often an organization was found to violate GDPR, though further research could provide additional insights onto this
7. Even “small” data breaches can have large consequences. British Airways’ first fine of £183M (US$226M) was for a data breach involving 500,000 individuals.
What Organizations Can Do to Mitigate the Risk of Fines
Understanding that an average fine in Feb 2020 is (excluding the UK) €20M, organizations can use this data to conduct a more data-based risk assessment and better determine how much to invest in mitigating risk.
For example, let’s say your organization determines that the risk of a GDPR fine is 50% (or €10M)/year. Further analysis determines that by investing an additional €5M/year into x, y and z in your ISMS (information security management system), your fine risk is lowered to 7% (or €1.4M)/year. Your organization could then make a more data-based decision that the €5M/year investment into additional data protection features is worthwhile.
Additionally, keep in mind that this analysis only considers the fine amount. The analysis does not include additional costs, including lost (future) sales, reputation, incident response costs (IBM estimates the avg. cost here is nearly US$4 million/incident), disruption to business, etc. These costs should be included in your analysis.
With these factors in mind, we recommend that organizations do the following to mitigate their risk of being subject to a fine under GDPR:
- Conduct a data-based risk assessment and cost/benefit analysis
i. GDPR Recital 77 requires this risk assessment be based on industry best practices (e.g., NIST 800–30).
2. Address your risk assessment findings by making appropriate investments
3. Remember that GDPR requires organizations to have:
i. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of PII
ii. A process in place to regularly test, assess and evaluate the effectiveness of their ISMS
4. To more effectively address these recommendations, we highly recommend organizations be formally certified in ISO/IEC 27001:2013, SOC 2 Type II or an equivalent standard
What About the UK?
The UK will continue to be subject to GDPR through the remainder of 2020. While we don’t know what the UK’s data protection laws will be post-2020, the UK is generally privacy-conscious. This is shown by their having issued nearly 75% of all GDPR fines to-date and by this statement from their data protection authority (the ICO):
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.
Additionally, the EU has stated that they will require GDPR-like protections in all future trade deals (at the expense of limiting free trade, if necessary), it’s highly likely that the UK will:
- Continue to have stringent data protection laws in place
- Issue material fines against organizations that fail to uphold individuals’ privacy rights
Organizations should make additional investments in their security programs and communicate their privacy policies clearly. The authors of this paper have found Google’s privacy policy to be clearly explained and should be emulated by organizations.
Conclusion
GDPR’s have increased in the past two years, and we predict the fine amounts will continue to increase over time. Organizations are encouraged to use (and build on) this study’s empirical analysis to more effectively determine how they can best comply with GDPR (e.g., preventing data breaches).
Methodology
We first began by converting all values to euros. Conversions in this report into other currencies used exchange rates available in Feb. 2020. We analyzed the data in Microsoft Excel using basic statistical methods, including utilizing a population standard deviation rather than a sample standard deviation. This is due to our analysis include all publicly disclosed GDPR fines rather than a sample. Under GDPR, all fines are required to be made public.
While the UK has officially left the EU, it is still subject to GDPR through 2020, and EU authorities have made clear that any future trade deals must include GDPR-like provisions. Therefore, it’s likely that the UK will continue to have GDPR-like protections going forward. Therefore, our analysis generally includes data from the UK.
How Data Protection Authorities (DPAs) Determine Fine Amounts
In order to understand how future fines may impact an organization, knowing how fines are levied is important to know. Article 83 outlines how fines should be imposed under GDPR.
When a DPA determines an organization has violated GDPR, they make a recommendation to their respective national court for how much the organization should be fined. The court then assess the final situation and determines how large the fine should be.
When both DPAs and the courts assess the amount of a fine, they follow the principles of Article 83 to ensure that the fine is “effective, proportionate and dissuasive.” The major principles are to consider:
- The nature, magnitude and duration of the violation
- If the violation was intentional or from negligence
- Any actions the organization took to limit the damage to the affected individuals
- Any previous violations of GDPR the organization has committed
- How cooperative with the DPA the organization has been
- The types of PII affected
- How the DPA was alerted to the violation, such as if the organization self-reported or the DPA discovered the violation through a news report
Lastly, fines are levied per violation. If an organization is found to have not appropriately obtained consent and has a data breach, both situations are handled as an individual violation and subject to fines.
Detailed Data Analysis
In this section, we provide graphics, charts, etc. that we created from our analysis and to create this paper. The spreadsheet we used in our analysis is available here. We obtained the raw data from The enforcementtracker database.
Because the United Kingdom is subject to GDPR until the end of 2020 and it’s likely to continue to have strong data protection laws in place, we both generally include the UK in these analyses. Some analyses are done twice, once with and once without the UK.
Readers may observe that not every country in the EEA is listed in our analysis. This is because not every country has (as of 29 Jan 2020) publicly announced a GDPR-related fine (under GDPR, fines are to be made publicly available).
Number of Fines by Country
The top five countries that have issued the most fines is the same with and without the UK included in the analysis. These countries are:
- Spain (42)
- Romania (21)
- Germany (18)
- Bulgaria (16)
- Hungary (14)
Total fines by country, less the UK
Thus far, EEA authorities have issued €116M in fines (US$127M). Excluding the UK, the top five countries that have issued the most cumulative fines are:
- France (€51.1M)
- Germany (€24.9M)
- Austria (€18.1M)
- Italy (€11.6M)
- Bulgaria (€3.2M)
The UK has issued a total of €315M in fines, which is 2.7 times greater than the rest of the EEA’s fines combined.
Avg. fine by country, including the UK
The two previous analyses can be useful in determining how much each country may fine; however, looking at the avg. fine per violation is a much more useful metric for our purposes. The top five countries that have issued the most fines on average are:
- The United Kingdom (€105.1M/fine)
- France (€10.2M/fine)
- Italy (€3.9M/fine)
- Austria (€3.0M/fine)
- Germany (€1.5M/fine)
The UK has issued just three fines under GDPR. The Marriott International fine alone (€110) is almost equal to the total amount of fines issued by the EEA combined (€116). Thus, the chart above shows the other countries’ fines are minimal on avg. compared to those issued by the UK.
Avg. fine including std. dev., including the UK
Building on the last analysis, we analyze fines by std. deviation. This enables us to understand where we can anticipate most fines to fall. Note that the negative values will, in reality, be zero or minimal. Because this data includes all known fines and is, thus, not a sample, we utilize a population standard deviation rather than a sample standard deviation. For all countries in the EEA, our analysis produced the following results (with an avg. fine of €125M):
- 68% of fines: €6–245 million
- 95% of fines: €0–364 million
- 99.7% of fines: €0–483 million
Based on these results, most organizations that violate GDPR can expect to receive a fine between €6.2–245 million; however, the amount varies greatly by country. Because the UK will be leaving the UK soon, we analyze a scenario where the UK’s fines are not considered; however, for 2020 organizations found to be violating GDPR and subject to an investigation by the UK’s ICO can expect to be fined between €22–189 million by the ICO.
Avg. fine including std. dev., less the UK
As discussed earlier, the UK accounts for nearly 75% of total fines issued. Because the UK is leaving the EU and their fines are substantial, additional analysis that excludes the UK is warranted.
Keep in mind that the average fine is €20M:
- 68% of fines: €0–140 million
- 95% of fines: €0–259 million
- 99.7% of fines: €0–378 million
Avg. Fine Amount Over Time
Based on a linear trend-line, the average avg. GDPR fine goes up over time. Even when withdrawing the three largest fines (in January 2019 and July 2019), the upwards trend is evident. This finding is in line with what’s been expected to happen.
Analyzing the avg. fine per quarter, we see the following trend:
- Q3 2018 — €200,000
- Q4 2018 — €8,000
- Q1 2019 — €16,700,000
- Q2 2019 — €317,000
- Q3 2019 — €45,700,000
- Q4 2019 — €2,300,000
While there is variation in the amount quarter-to-quarter, the overall trend is that fines are consistently increasing.
Primary Reasons for Violations
The following five Articles of GDPR have been violated the most. A complete list is beneath the top-five list. It’s important to note, that a single fine can include violations of multiple articles.
- Article 5 (48) — PII is to be processed lawfully, fairly and transparently and be protected from unauthorized processing, disclosure and destruction.
- Article 6 (30) — PII may only be processed if the individual has given his/her explicit consent for the specified purpose(s).
- Article 13 (13) — When collecting an individual’s PII, the data controller must provide several types of information, such as the DPO’s contact information, the recipient(s)/who will assist process their data and an enumeration of the individual’s privacy rights.
- Article 32 (9) — Data controllers and processors must implement appropriate security measures commensurate to the types of PII processed that prevent unauthorized destruction, loss, alteration and/or disclosure of PII.
- Article 12 (8) — Data controllers must clearly, transparently and in plain language communicate the reason(s) for the processing of PII and within one month respond to individuals’ requests to fulfill their privacy rights.
Based on this analysis, we observe that organizations receiving fines under GDPR tend to not be doing two things:
- Adequately protecting PII from unauthorized disclosure, loss or alteration
- Appropriately obtaining consent from individuals, which includes communicating the terms & conditions clearly, plainly and in plain language
Limitations & Next Research Steps
While the author has conducted this analysis to the best of his abilities, there are inherent limitations of being a single researcher. For example, there may be factors, data, etc. that weren’t consider, calculated incorrectly, etc.
To improve upon this research, the author invites others (both in academia and industry) to build on his work and/or collaborate with him. With additional investment & resources, this article can be enhanced by conducting interviews with DPAs, fined organizations, percentage of annual turnover fined, etc. and putting the article through the rigor needed to publish an an A-level academic journal.
Another limitation of this study is that it doesn’t factor fines as a percentage of global revenue. One deterrent for doing this is that both private and publicly-traded organizations (e.g., business, non-profits, churches, etc.) are subject to GDPR, making determining the fine as percentage of revenue difficult in every situation. For this initial analysis, we have chosen to not consider this factor; however, doing so in future will provide additional insights and benefits to organizations. We encourage other researchers to build on our analysis and provide additional insights.
Such analysis would provide even more value & benefit to organizations and the individuals they serve.
Sources
- Data for this analysis was taken from The enforcementtracker database. The enfocementtracker database is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
enforcementtracker.com, provided by CMS Law.Tax - GDPR — A Comprehensive Overview by Andrew Sanford
- Full, original text of the GDPR
Legal Disclaimer
*The advice offered in this paper is not legal advice. Organizations should consult with appropriate parties, including legal counsel and data privacy experts, before implementing GDPR-related programs, initiatives, etc. at their organization. GDPR is complicated, nuanced and principles-based. Great care must be taken when determining how your organization can comply with GDPR. While the advice contained herein can be helpful when considering risks to your organization, implementing GDPR solely based on the limited information in this paper is unwise and should not be done.