Finance sector has received the most GDPR fines to date
The finance sector has received more fines for violating GDPR than any other industry, according to research from Mazars. It has amassed 11 fines since the dawn of GDPR, mostly in relation to the processing of personal data.
Since the implementation of GDPR in May 2018, supervisory authorities in 20 European countries have implemented fines. The Czech Republic, Germany and Hungary have administered the most, at nine each, while 40% have implemented just one. Eight countries have yet to administer any, including: Ireland, Croatia, Estonia, Finland, Luxemburg, Switzerland Slovakia and Slovenia. However, penalties related to ongoing Irish investigations are expected in future.
Professional services was the most fined sector after finance, with seven violations. Next was the public sector, which amassed a total of five fines. Seventeen breaches were uncategorised by sector as the details were not made public. Private citizens accounted for four fines.
With regards to cause of the fine, most (41) were administered for the violation of Article 5 – ‘Principles relating to the processing of personal data.’ Average payment for such a breach was €340,000. On the higher end, 15 companies were fined an average of €21 million for the breach of Article 32 ‘Security of data processing.’ Further, the three organisations in breach of Article 14 ‘Information to be provided where personal data have not been obtained from the subject’ received an average fine of €4.2 million. Violation of Article 13 ‘The right to be informed’ found seven firms out of €1.8 million, on average.
Three penalties were administered for Article 33 ‘Notification of a personal data breach to the supervisory authority’ and there was an individual incident of violation of Article 34 ‘Communication of a personal data breach to the data subject’. Indeed, the findings show that an organisation may implement controls to protect personal data in the event of a security incident, but failure to follow notification protocol still warrants penalty.
“What we can understand from examining the industries in which fines are being directed is that no organisation is exempt from the reach of the supervisory authorities, even private citizens are being subjected to fines for noncompliance,” said Liam McKenna, partner, Mazars Ireland. “Our analysis shows that issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities.
“With the Irish Data Protection Commissioner set to administer fines in the future, it will be interesting to note the sectors impacted and most common violations fined and how they compare to other European countries.”