Data breach fines have grown since the General Data Protection Regulation (GDPR) came into force, according to the law firm DLA Piper. There have been over 160,000 data breach notifications across Europe May 2018, according to the DLA Piper GDPR data breach survey: January 2020.

“Many organisations and indeed many supervisory authorities are struggling with how to determine when a breach is or is not notifiable given the vagaries of the legal trigger for notification – where there is “a risk” to the rights and freedoms of natural persons,” the report said.

Neither term is defined in the GDPR, although high-level guidance is available at an EU level: The guidelines on personal data breach notification. “Further guidance would be welcomed both by organisations reporting breaches and supervisory authorities assessing breaches in order to drive consistency and best practice for risk assessment,” the report said.

Breaches and fines

The Netherlands, Germany and the UK had the most data breaches notified for the 20 months from 25 May 2018 to 27 January 2020, with 40,647, 37,636 and 22,181 respectively. The Netherlands, Germany and the UK also topped the table for the total number of breach notifications in last year’s report.

While the level of notifications is high, the level of fines has yet to reach the maximum levels permitted under the regulations. So far, data regulators have only imposed €114 million of fines in 20 months.

The key takeaway from the early guidance and regulatory skirmishes is that how GDPR fines should be calculated remains an open legal question. It will take time – likely several years if not a decade – before a standard methodology starts to emerge from the jurisprudence of Member State courts, from the European Court of Justice and from the European Data Protection Board,” the report said. “In the meantime, particularly given the size of some of the early fines, we anticipate that appealing fines will become much more common.”

Facebook initially appealed against the £500,00 fine the UK’s Information Commissioner’s Office (ICO) imposed in the wake of the Cambridge Analytica data misuse, but subsequently dropped the appeal while admitting no liability, according to press reports.

Cyber basics lacking

Cathay Pacific Airways is the latest company to be fined £500,000 by ICO for “failing to protect the security of customers’ personal data.” While the airline acted rapidly to stem and report the breach, ICO said that the companies systems had basic failings. They did not satisfy four out of the five standards expected under the UK’s National Cyber Security Centre’s basic Cyber Essentials guidance.

“A catalogue of errors were found during the ICO’s investigation including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection,” the ICO said.

Most risk managers at IRM’s Big Debate event back in 2017 agreed that GDPR should be seen as an opportunity to improve risk management processes – but it seems that some organisations still have lessons to learn three years down the road.