An Empirical Analysis of GDPR’s Fines to Date (Feb 2020) and What It Means for Organizations

Update (25 Jan 2021):

(1) The goal of this paper is to help organizations understand the impact of GDPR’s fines, and that’s best achieved through the latest data. While this paper’s conclusions are still accurate and worth reading, I encourage readers to review DLA Piper’s January 2021 analysis for the most up-to-date information. It can be accessed here: https://www.dlapiper.com/en/uk/news/2020/01/114-million-in-fines-have-been-imposed-by-european-authorities-under-gdpr

(2) The fine amounts levied against Marriott Hotels and British Airways were ultimately reduced by ~90 percent, with the ICO citing the impacts of the pandemic on these companies. This does render the numerical analyses out of date; however, the main conclusions and other analyses in this paper are still valid.

Until 8 July 2019, the average GDPR fine was US$5,600, but on that day, everything changed. The UK’s enforcer of GDPR (the ICO) announced on July 8 that British Airways would be fined a record £183M (US$226M) for a data breach involving 500,000 individuals (2.5% of their total global revenue). The next day, the ICO announces another fine — this time, £99M (US$120 million) against Marriott Hotels (~3% of their total global revenue).

British Airway’s Fine

GDPR’s potentially material fines are forcing not just British Airways or Marriott to put a greater emphasis on security & privacy, but on nearly every organization that handles PII (either directly themselves or on behalf of a client). No one wants to lose up to 4% of their global revenue.

While there have been articles published about the major fines, there hasn’t been an analysis of all known fines and the associated consequences for organizations. Having a clear, predictable understanding of how much EEA authorities will fine for violating GDPR enables organizations to make better investments. For example, an organization could put themselves at risk if they’ve prepare for a 1% of total revenue fine but are, in reality, at risk of a 3.5% fine. Having accurate information would enable that company to appropriately invest their limited resources towards a more mature ISMS (information security management system).

To assist organizations in better understanding the risks of the GDPR’s fines, we analyze all publicly available fines (as of 29 Jan 2020) and publish our findings in this paper. Our analysis considers quantitative and qualitative data, such as the amount of fines, reasons why the fines were issued, etc. We conclude by offering actionable advice that organizations can consider as they determine how to better comply with GDPR.*

Table of Contents

• Executive Summary
• Methodology
• How Data Protection Authorities (DPAs) Determine Fine Amounts
• Detailed Data Analysis
• Limitations & Next Research Steps
• Conclusion
• Sources & Legal disclaimer

Executive Summary

GDPR has made a significant impact on organizations, their vendors and fourth-parties. Having a clear, predictable understanding of how much and the reasons why EEA authorities are issuing fines for violating GDPR enables organizations to make better decisions on how to invest their limited resources.

Photo by Maryna Yazbeck on Unsplash

Our analysis uncovered seven main findings:

1. Fines have increased over time, with the average fine now in the millions of euros
2. Fine amounts can vary greatly by country, with the UK, France, Italy, Austria and Germany issuing the largest fines (on average)
3. Including the UK, 68% of orgs violating GDPR can expect to be fined €6–245 million (with a mean of €105M) per violation
4. Excluding the UK, 68% of orgs violating GDPR can expect to be fined €0–140 million (with a mean of €20M) per violation
5. Most organizations violating GDPR are found to be doing one, if not both, of the following:

i. Inadequate protecting PII from unauthorized disclosure, loss or alteration (i.e., data breach)

ii. Inappropriately obtaining consent from individuals (which requires the terms & conditions be communicated clearly and in plain language)

6. Fine amounts seemed to not be directly correlated to how often an organization was found to violate GDPR, though further research could provide additional insights onto this

7. Even “small” data breaches can have large consequences. British Airways’ first fine of £183M (US$226M) was for a data breach involving 500,000 individuals.

What Organizations Can Do to Mitigate the Risk of Fines

Understanding that an average fine in Feb 2020 is (excluding the UK) €20M, organizations can use this data to conduct a more data-based risk assessment and better determine how much to invest in mitigating risk.

For example, let’s say your organization determines that the risk of a GDPR fine is 50% (or €10M)/year. Further analysis determines that by investing an additional €5M/year into x, y and z in your ISMS (information security management system), your fine risk is lowered to 7% (or €1.4M)/year. Your organization could then make a more data-based decision that the €5M/year investment into additional data protection features is worthwhile.

Additionally, keep in mind that this analysis only considers the fine amount. The analysis does not include additional costs, including lost (future) sales, reputation, incident response costs (IBM estimates the avg. cost here is nearly US$4 million/incident), disruption to business, etc. These costs should be included in your analysis.

With these factors in mind, we recommend that organizations do the following to mitigate their risk of being subject to a fine under GDPR:

1. Conduct a data-based risk assessment and cost/benefit analysis

i. GDPR Recital 77 requires this risk assessment be based on industry best practices (e.g., NIST 800–30).

2. Address your risk assessment findings by making appropriate investments

3. Remember that GDPR requires organizations to have:

i. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of PII

ii. A process in place to regularly test, assess and evaluate the effectiveness of their ISMS

4. To more effectively address these recommendations, we highly recommend organizations be formally certified in ISO/IEC 27001:2013, SOC 2 Type II or an equivalent standard

Photo by Chris Lawton on Unsplash

What About the UK?

The UK will continue to be subject to GDPR through the remainder of 2020. While we don’t know what the UK’s data protection laws will be post-2020, the UK is generally privacy-conscious. This is shown by their having issued nearly 75% of all GDPR fines to-date and by this statement from their data protection authority (the ICO):

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

Additionally, the EU has stated that they will require GDPR-like protections in all future trade deals (at the expense of limiting free trade, if necessary), it’s highly likely that the UK will:

1. Continue to have stringent data protection laws in place
2. Issue material fines against organizations that fail to uphold individuals’ privacy rights

Organizations should make additional investments in their security programs and communicate their privacy policies clearly. The authors of this paper have found Google’s privacy policy to be clearly explained and should be emulated by organizations.

Conclusion

GDPR’s have increased in the past two years, and we predict the fine amounts will continue to increase over time. Organizations are encouraged to use (and build on) this study’s empirical analysis to more effectively determine how they can best comply with GDPR (e.g., preventing data breaches).

Methodology

We first began by converting all values to euros. Conversions in this report into other currencies used exchange rates available in Feb. 2020. We analyzed the data in Microsoft Excel using basic statistical methods, including utilizing a population standard deviation rather than a sample standard deviation. This is due to our analysis include all publicly disclosed GDPR fines rather than a sample. Under GDPR, all fines are required to be made public.

Photo by Aaron Burden on Unsplash

While the UK has officially left the EU, it is still subject to GDPR through 2020, and EU authorities have made clear that any future trade deals must include GDPR-like provisions. Therefore, it’s likely that the UK will continue to have GDPR-like protections going forward. Therefore, our analysis generally includes data from the UK.

How Data Protection Authorities (DPAs) Determine Fine Amounts

In order to understand how future fines may impact an organization, knowing how fines are levied is important to know. Article 83 outlines how fines should be imposed under GDPR.

When a DPA determines an organization has violated GDPR, they make a recommendation to their respective national court for how much the organization should be fined. The court then assess the final situation and determines how large the fine should be.

When both DPAs and the courts assess the amount of a fine, they follow the principles of Article 83 to ensure that the fine is “effective, proportionate and dissuasive.” The major principles are to consider:

• The nature, magnitude and duration of the violation
• If the violation was intentional or from negligence
• Any actions the organization took to limit the damage to the affected individuals
• Any previous violations of GDPR the organization has committed
• How cooperative with the DPA the organization has been
• The types of PII affected
• How the DPA was alerted to the violation, such as if the organization self-reported or the DPA discovered the violation through a news report

Lastly, fines are levied per violation. If an organization is found to have not appropriately obtained consent and has a data breach, both situations are handled as an individual violation and subject to fines.

Detailed Data Analysis

In this section, we provide graphics, charts, etc. that we created from our analysis and to create this paper. The spreadsheet we used in our analysis is available here. We obtained the raw data from The enforcementtracker database.

Because the United Kingdom is subject to GDPR until the end of 2020 and it’s likely to continue to have strong data protection laws in place, we both generally include the UK in these analyses. Some analyses are done twice, once with and once without the UK.

Readers may observe that not every country in the EEA is listed in our analysis. This is because not every country has (as of 29 Jan 2020) publicly announced a GDPR-related fine (under GDPR, fines are to be made publicly available).

Number of Fines by Country

The top five countries that have issued the most fines is the same with and without the UK included in the analysis. These countries are:

1. Spain (42)
2. Romania (21)
3. Germany (18)
4. Bulgaria (16)
5. Hungary (14)

Number of fines issued by country

Total fines by country, less the UK

Thus far, EEA authorities have issued €116M in fines (US$127M). Excluding the UK, the top five countries that have issued the most cumulative fines are:

1. France (€51.1M)
2. Germany (€24.9M)
3. Austria (€18.1M)
4. Italy (€11.6M)
5. Bulgaria (€3.2M)

Total issues fines by country, less the UK

The UK has issued a total of €315M in fines, which is 2.7 times greater than the rest of the EEA’s fines combined.

Avg. fine by country, including the UK

The two previous analyses can be useful in determining how much each country may fine; however, looking at the avg. fine per violation is a much more useful metric for our purposes. The top five countries that have issued the most fines on average are:

1. The United Kingdom (€105.1M/fine)
2. France (€10.2M/fine)
3. Italy (€3.9M/fine)
4. Austria (€3.0M/fine)
5. Germany (€1.5M/fine)

Avg. fine by country, including the UK

The UK has issued just three fines under GDPR. The Marriott International fine alone (€110) is almost equal to the total amount of fines issued by the EEA combined (€116). Thus, the chart above shows the other countries’ fines are minimal on avg. compared to those issued by the UK.

Avg. fine including std. dev., including the UK

Building on the last analysis, we analyze fines by std. deviation. This enables us to understand where we can anticipate most fines to fall. Note that the negative values will, in reality, be zero or minimal. Because this data includes all known fines and is, thus, not a sample, we utilize a population standard deviation rather than a sample standard deviation. For all countries in the EEA, our analysis produced the following results (with an avg. fine of €125M):

• 68% of fines: €6–245 million
• 95% of fines: €0–364 million
• 99.7% of fines: €0–483 million

Avg. fine including the std. deviation

An illustration of the 68–95–99.7 rule

Based on these results, most organizations that violate GDPR can expect to receive a fine between €6.2–245 million; however, the amount varies greatly by country. Because the UK will be leaving the UK soon, we analyze a scenario where the UK’s fines are not considered; however, for 2020 organizations found to be violating GDPR and subject to an investigation by the UK’s ICO can expect to be fined between €22–189 million by the ICO.

Avg. fine including std. dev., less the UK

As discussed earlier, the UK accounts for nearly 75% of total fines issued. Because the UK is leaving the EU and their fines are substantial, additional analysis that excludes the UK is warranted.

avg. fine by std. dev, less the UK

Keep in mind that the average fine is €20M:

• 68% of fines: €0–140 million
• 95% of fines: €0–259 million
• 99.7% of fines: €0–378 million

Avg. Fine Amount Over Time

Avg. fine amount over time

Based on a linear trend-line, the average avg. GDPR fine goes up over time. Even when withdrawing the three largest fines (in January 2019 and July 2019), the upwards trend is evident. This finding is in line with what’s been expected to happen.

Analyzing the avg. fine per quarter, we see the following trend:

• Q3 2018 — €200,000
• Q4 2018 — €8,000
• Q1 2019 — €16,700,000
• Q2 2019 — €317,000
• Q3 2019 — €45,700,000
• Q4 2019 — €2,300,000

While there is variation in the amount quarter-to-quarter, the overall trend is that fines are consistently increasing.

Primary Reasons for Violations

The following five Articles of GDPR have been violated the most. A complete list is beneath the top-five list. It’s important to note, that a single fine can include violations of multiple articles.

1. Article 5 (48) — PII is to be processed lawfully, fairly and transparently and be protected from unauthorized processing, disclosure and destruction.
2. Article 6 (30) — PII may only be processed if the individual has given his/her explicit consent for the specified purpose(s).
3. Article 13 (13) — When collecting an individual’s PII, the data controller must provide several types of information, such as the DPO’s contact information, the recipient(s)/who will assist process their data and an enumeration of the individual’s privacy rights.
4. Article 32 (9) — Data controllers and processors must implement appropriate security measures commensurate to the types of PII processed that prevent unauthorized destruction, loss, alteration and/or disclosure of PII.
5. Article 12 (8) — Data controllers must clearly, transparently and in plain language communicate the reason(s) for the processing of PII and within one month respond to individuals’ requests to fulfill their privacy rights.

Violations by GDPR’s Article

Based on this analysis, we observe that organizations receiving fines under GDPR tend to not be doing two things:

1. Adequately protecting PII from unauthorized disclosure, loss or alteration
2. Appropriately obtaining consent from individuals, which includes communicating the terms & conditions clearly, plainly and in plain language

Limitations & Next Research Steps

While the author has conducted this analysis to the best of his abilities, there are inherent limitations of being a single researcher. For example, there may be factors, data, etc. that weren’t consider, calculated incorrectly, etc.

To improve upon this research, the author invites others (both in academia and industry) to build on his work and/or collaborate with him. With additional investment & resources, this article can be enhanced by conducting interviews with DPAs, fined organizations, percentage of annual turnover fined, etc. and putting the article through the rigor needed to publish an an A-level academic journal.

Another limitation of this study is that it doesn’t factor fines as a percentage of global revenue. One deterrent for doing this is that both private and publicly-traded organizations (e.g., business, non-profits, churches, etc.) are subject to GDPR, making determining the fine as percentage of revenue difficult in every situation. For this initial analysis, we have chosen to not consider this factor; however, doing so in future will provide additional insights and benefits to organizations. We encourage other researchers to build on our analysis and provide additional insights.

Such analysis would provide even more value & benefit to organizations and the individuals they serve.

Sources

• Data for this analysis was taken from The enforcementtracker database. The enfocementtracker database is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
  enforcementtracker.com, provided by CMS Law.Tax
• GDPR — A Comprehensive Overview by Andrew Sanford
• Full, original text of the GDPR

Legal Disclaimer

*The advice offered in this paper is not legal advice. Organizations should consult with appropriate parties, including legal counsel and data privacy experts, before implementing GDPR-related programs, initiatives, etc. at their organization. GDPR is complicated, nuanced and principles-based. Great care must be taken when determining how your organization can comply with GDPR. While the advice contained herein can be helpful when considering risks to your organization, implementing GDPR solely based on the limited information in this paper is unwise and should not be done.