I work with risk management in information security. While I am not *that* interested in laws and regulations, they are an important part of the risk landscape. I gave a lecture on the GDPR last week where I dug into the violations and fines issued thus far from the risk management perspective. This essay is a write up of the analysis I did and contains statistics from 536 fines (issued until 31. January 2021). I look into countries, the number of penalties, sizes, distributions, and violation types/causes.
Privacy principles & Causes of GDPR fines
I will not go into specific GDPR articles in this write-up, but a short summary of the principles is necessary to understand the remainder of this essay. The following principles underpin GDPR (Source: Data privacy impact assessments (DPIA), e.g. NTNU):
- Lawfulness and transparency: Data should be treated according to the law. Which means that the data subject has given consent to the processing, or the processing is necessary as a part of a contract, a legal obligation, in the vital interests of the data subject, in the public interest, or in the legitimate interests of the controller.
- Fairness: Personal data must be used in a way that is fair.
- Purpose limitation: The purpose for the collection and processing should be specific, stated and justified.
- Data minimisation: Adequate, relevant and limited to what is necessary in relation to the purpose of the processing
- Accuracy: The personal data must be correct and up to date.
- Storage limitation: Personal information shall be deleted or anonymised when the purpose has been achieved.
- Integrity and confidentiality (security): Personal data shall be processed in such a way that the integrity, confidentiality and availability of the information is protected.
- Accountability: The data controller shall be responsible for, and be able to demonstrate compliacnce with, the data protection principles.
The violation of these principles in the form of specific GDPR articles causes fines. It is the national data protection authorities that issue fines. The big thing about GDPR and the main reason it rattled so many bones, is the potential size of the penalties the data protection authorities can issue with GDPR in hand: Up to 20 000 000 euro, or enterprises, up to 4% of the previous financial year’s total annual turnover worldwide.
For this analysis, I used the data collected by the Enforcement tracker website, where the data is readily available. My dataset contains n=536 cases and I pulled it from the site on the 31. January 2021. I am assuming that the data collected by Enforcement tracker has a high level of integrity.
Analysis and results
I will start my analysis with nations and frequencies. Table 1 (below) shows that the Spanish data protection authority issues by far the most GDPR fines with 176 (~33% of all fines).In the top five, Spain is joined by Romania (47), Italy (42), Hungary (36), and Germany (28).
Further, I found it interesting to look at the size of the fines. Table 2 shows the basic statistics for the distribution. The mean size of the GDPR fines are 521 838 Euros. However, when we compare it to the standard deviation (huge) and the median value, which is only 10 000 Euros, we know that our distribution of fines is likely clustering on the left side.
The minimum value in the dataset is 0, which was just a part of the original data. The largest value is 50 000 000 Euro.
The distribution of fine sizes is illustrated in Figure 1, which shows that most of them are below 100 000 Euros. To be more specific: 86 of the 536 fines are 100k and above, the rest (450) are below. If we remove these 86 from the dataset to increase some granularity, our distribution looks like this:
The majority of these fines (n=255) are less than 10 000 euros, as is visible in Figure 2. So far, we can conclude that the majority of GDPR fines are small, but we have a few large outliers.
Countries and fines
Moving forward, we dig into countries and fines. Remembering the results in Table 1, we expect Spain to rank at the top in most cases, having issued roughly one-third of all penalties. However, Table 3 shows that Spain only ranks as number 5 when analyzing the cumulative sum given in GDPR fines. Italy has issued the most in penalties when looking at the cumulative sum, totalling 70 million euro in fines, divided into 42 cases. Germany is in second place with 63 million divided into 26 cases, followed by France with 55 million into 14 cases. The UK has issued two considerable fines and two smaller ones, which puts them in fourth place. Going back to Spain, we see that they have a practice of issuing many small penalties: There are two significant fines issued by Spain in the dataset, Caixabank S.A. (6 million) and Banco Bilbao Vizcaya Argentaria, S.A. (5 million), the remaining 174 cases are 250 000 and below.
The largest GDPR fines
If you are like me, you will be interested in the most significant fines, so I have put together the dataset’s top 10 penalties. Table 4 shows in which country the fine was issued, the date, size, and who got fined. Additionally, Enforcement tracker has added the quoted GDPR article and, even better, categorises the type of violation. Kudos to them for doing that and making it understandable for us mere mortals.
Not surprisingly, it is one of the big tech companies that top the list. The French data protection authority issued Google Inc a 50 million euro fine for violating articles 13, 14, 5, and 6 in GDPR. Further, the German authorities fined the H&M online shop the second-largest fine at 35 million, and Italy fined the telecommunications operator TIM ~28 million. Common for the top three in the list is that Enforcement tracker categorizes the fines within “Insufficient legal basis for data processing.” I find that category self-explanatory as it connects to the first GDPR principle I listed in the introduction. This category also caused the fines were given to Wind Tre S.p.A, notebooksbillinger.de, and Eni gas Luce.
“Insufficient technical and organizational measures to ensure information security” was the cause for British airways and Marriot international. Finally, “Non-compliance with the general processing principles” was the cause for the fines issued to Deutsche Wohnen and Vodafone Italia. Looking at the “Quoted art”-column, I interpret the latter category as a kind of “catch-all” categorization, because of the multiple violations in these cases.
While I do not wish to get into the specific GDPR articles in this essay, it is worth mentioning that violations of article 5 occurred in 9 out of the top 10 fines.
Violations and costs
We briefly got into what causes fines in the last section. For the top 10 cases, we had three different types of violations, and these three are the major ones in the following analysis. Enforcement tracker has provided us with ten different GDPR violation types; these categories are exciting from a risk management perspective as they signify vulnerability. Also, we can easily tie them to the GDPR principles in the intro.
Table 5 summarizes the data and shows that the category that causes most fines (n=205) and has the highest cumulative sum is “Insufficient legal basis for data processing.” So, enterprises and institutions not having sufficient coverage by the law to collect and process personal data is by far the most common cause, about 40% of all cases. And is additionally responsible for ~60% of the total sum fined by all!
The second-largest cause of fines (n=115) is Insufficient information security. The data processor was not managing the personal data in a secure manner and according to information security principles. The Non-compliance-category is in third place on the list. The top three causes also bear the risk of the highest fines as we saw in the top ten analysis.
These are followed by insufficient fulfilment of: (4) Data subjects rights, (5) information obligations, and (6) data breach notification obligations. Organizations have also been fined for not appointing a data protection officer, not cooperating with a supervisory authority, and for having insufficient data processing agreements.
Note that the fines for not appointing a privacy officer has the highest median value. Failing on data breach notifications also have a high median value. While both have few occurences, they might bring generally high median fines, but may not have the same potential for the massive penalties as the top three. Time will show.
Thank you for sticking with me to the end of this essay. I did this analysis last weekend, but I can already see that a couple of new GDPR fines have been added to the sample size.
Finally, I think we can conclude that if you want to avoid being fined big for GDPR violations, work on your:
- Legal basis for data processing.
- Information security
Furthermore, the Norwegian Data Protection Authority has issued a statement saying that they are aiming to fine the dating app Grindr 100 million NOK (~10 million euro) for violating the privacy of its’ customers. This violation is particularly worrying as Grindr manages very sensitive information. The Grindr fine will place in the tenth of the biggest GDPR fines issued so far.