It has been more than three years since the EU General Data Protection Regulation (GDPR) took effect, and while there was a slow start to policing compliance, the number of violations being discovered has increased, as have financial penalties for non-compliance. European regulators are increasingly focusing on implementing the GDPR with a spotlight on organizations.
Data acquired by Finbold indicates that the cumulative number of GDPR violations surged by 113.5% over the 12 months between July 2020 and July 2021. In 2020, the number of fines was 332, rising to 709 in 2021. Over the same period, the number of fines imposed by EU regulators for the violations spiked by 124.92%. In July 2020, cumulative fines stood at €130.69m, growing to €293.96m in 2021.
Among the specific fines, big tech companies dominated, with Google accounting for the biggest share of fines at €60m as of 18 July 2021. Google Ireland ranks second with €40m in fines while H&M Hennes &Mauritz Online Shop from Germany is third at €35.26m. The fines are based on GDPR Enforcement Tracker and Finbold’s GDPR Fines 2020 report. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or €20m (whichever is greater).
The increasing fines highlight the improved ability by regulators to detect instances of personal data violation. It also shows the power bestowed on consumers able to report situations of data violations as well as the urge by regulators to protect consumers, considering that the GDPR law is relatively new.
Some of the imposed fines are not always paid as required, with companies launching appeals. Different nations have also adopted various approaches in implementing the laws and some regulators have shown leniency due to the Coronavirus pandemic, with some notable high-profile fines lowered as companies experienced financial hardship. However, maintains Finbold, the hefty fines are enabling businesses and organisations to prioritise data protection and the fines are helping regulators in Europe set the blueprint for the rest of the world in managing data violation cases.