An Analysis of GDPR fines

I work with risk management in information security. While I am not *that* interested in laws and regulations, they are an important part of the risk landscape. I gave a lecture on the GDPR last week where I dug into the violations and fines issued thus far from the risk management perspective. This essay is a write up of the analysis I did and contains statistics from 536 fines (issued until 31. January 2021). I look into countries, the number of penalties, sizes, distributions, and violation types/causes.

Privacy principles & Causes of GDPR fines

  • Lawfulness and transparency: Data should be treated according to the law. Which means that the data subject has given consent to the processing, or the processing is necessary as a part of a contract, a legal obligation, in the vital interests of the data subject, in the public interest, or in the legitimate interests of the controller.
  • Fairness: Personal data must be used in a way that is fair.
  • Purpose limitation: The purpose for the collection and processing should be specific, stated and justified.
  • Data minimisation: Adequate, relevant and limited to what is necessary in relation to the purpose of the processing
  • Accuracy: The personal data must be correct and up to date.
  • Storage limitation: Personal information shall be deleted or anonymised when the purpose has been achieved.
  • Integrity and confidentiality (security): Personal data shall be processed in such a way that the integrity, confidentiality and availability of the information is protected.
  • Accountability: The data controller shall be responsible for, and be able to demonstrate compliacnce with, the data protection principles.

The violation of these principles in the form of specific GDPR articles causes fines. It is the national data protection authorities that issue fines. The big thing about GDPR and the main reason it rattled so many bones, is the potential size of the penalties the data protection authorities can issue with GDPR in hand: Up to 20 000 000 euro, or enterprises, up to 4% of the previous financial year’s total annual turnover worldwide.

Dataset

Analysis and results

Table 1: The number of GDPR fines per country

Further, I found it interesting to look at the size of the fines. Table 2 shows the basic statistics for the distribution. The mean size of the GDPR fines are 521 838 Euros. However, when we compare it to the standard deviation (huge) and the median value, which is only 10 000 Euros, we know that our distribution of fines is likely clustering on the left side.

Table 2: Descriptive statistics for the GDPR fines

The minimum value in the dataset is 0, which was just a part of the original data. The largest value is 50 000 000 Euro.

Figure 1: Distribution of GDPR fine sizes (size in Euro X-axis, frequency Y-axis)

The distribution of fine sizes is illustrated in Figure 1, which shows that most of them are below 100 000 Euros. To be more specific: 86 of the 536 fines are 100k and above, the rest (450) are below. If we remove these 86 from the dataset to increase some granularity, our distribution looks like this:

Figure 2: Distribution of fines issued below 100 000 euros, n=450

The majority of these fines (n=255) are less than 10 000 euros, as is visible in Figure 2. So far, we can conclude that the majority of GDPR fines are small, but we have a few large outliers.

Countries and fines

The top 11 countries in GDPR fines cumulative sum (rightmost column)
Figure 3: Bar chart of fines issued per Nation’s data protection authority

The largest GDPR fines

Table 4: Top 10 GDPR fines

Not surprisingly, it is one of the big tech companies that top the list. The French data protection authority issued Google Inc a 50 million euro fine for violating articles 13, 14, 5, and 6 in GDPR. Further, the German authorities fined the H&M online shop the second-largest fine at 35 million, and Italy fined the telecommunications operator TIM ~28 million. Common for the top three in the list is that Enforcement tracker categorizes the fines within “Insufficient legal basis for data processing.” I find that category self-explanatory as it connects to the first GDPR principle I listed in the introduction. This category also caused the fines were given to Wind Tre S.p.A, notebooksbillinger.de, and Eni gas Luce.

“Insufficient technical and organizational measures to ensure information security” was the cause for British airways and Marriot international. Finally, “Non-compliance with the general processing principles” was the cause for the fines issued to Deutsche Wohnen and Vodafone Italia. Looking at the “Quoted art”-column, I interpret the latter category as a kind of “catch-all” categorization, because of the multiple violations in these cases.

While I do not wish to get into the specific GDPR articles in this essay, it is worth mentioning that violations of article 5 occurred in 9 out of the top 10 fines.

Violations and costs

Table 5 summarizes the data and shows that the category that causes most fines (n=205) and has the highest cumulative sum is “Insufficient legal basis for data processing.” So, enterprises and institutions not having sufficient coverage by the law to collect and process personal data is by far the most common cause, about 40% of all cases. And is additionally responsible for ~60% of the total sum fined by all!

Table 5: GDPR Violation types, n per type, and statistics. Sorted on mean cumulative sum.

The second-largest cause of fines (n=115) is Insufficient information security. The data processor was not managing the personal data in a secure manner and according to information security principles. The Non-compliance-category is in third place on the list. The top three causes also bear the risk of the highest fines as we saw in the top ten analysis.

These are followed by insufficient fulfilment of: (4) Data subjects rights, (5) information obligations, and (6) data breach notification obligations. Organizations have also been fined for not appointing a data protection officer, not cooperating with a supervisory authority, and for having insufficient data processing agreements.

Note that the fines for not appointing a privacy officer has the highest median value. Failing on data breach notifications also have a high median value. While both have few occurences, they might bring generally high median fines, but may not have the same potential for the massive penalties as the top three. Time will show.

Conclusion

Finally, I think we can conclude that if you want to avoid being fined big for GDPR violations, work on your:

  1. Legal basis for data processing.
  2. Information security
  3. Compliance

Furthermore, the Norwegian Data Protection Authority has issued a statement saying that they are aiming to fine the dating app Grindr 100 million NOK (~10 million euro) for violating the privacy of its’ customers. This violation is particularly worrying as Grindr manages very sensitive information. The Grindr fine will place in the tenth of the biggest GDPR fines issued so far.

I write about my work, research, and interests. Co-founder and inventor at Diri AS. Ph.D. risk management and assistant professor in information security.