Finance brands the biggest villains for GDPR penalties

gdpr again2While technology giants are attracting all the negative press over GDPR compliance, it is the financial services sector which has taken the biggest hit so far, having been slapped with 11 fines out of a grand total of 68 penalties issued across the EU since May 25 last year.
According to an analysis of the fines by financial consultancy Mazars, the professional services sector holds second place in the “list of shame” with seven fines, followed by the public sector with five. Healthcare, hospitality, technology and telecoms have received four fines each.
The majority of the fines (41) have been issued for breaches related to the processing of personal data, with 23 for the lawfulness of processing data, and three for the rules covering the notification of a breach to supervisory authorities. One fine was issued for the communication of a personal data breach to a consumer.
Meanwhile, 15 companies have been whacked with an average of €21m (£19m) under the rules covering the security of data processing.
The figures do not include the UK Information Commissioner’s Office proposed penalties against BA and Marriott International as these have yet to be officially levied.
The Czech Republic, Germany and Hungary account for the most fines at nine each, while Belgium, Greece, Italy, Lithuania, Malta, Netherlands, Portugal and Sweden have issued only one fine each.
Ireland is among eight countries that have yet to levy fines, along with Croatia, Estonia, Finland, Luxemburg, Switzerland, Slovakia and Slovenia. However, with the Irish Data Protection Commission covering most tech firms, including Facebook, Microsoft and Apple, this is likely to change any day now.
The Irish DPC recently confirmed that a ruling against Facebook-owned WhatsApp is likely to be published in the coming weeks.
Mazars Ireland partner Liam McKenna said: “What we can understand from examining the industries in which fines are being directed is that no organisation is exempt from the reach of the supervisory authorities – even private citizens are being subjected to fines for noncompliance.
“Our analysis shows that issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities. With the Irish DPC set to administer fines in the future, it will be interesting to note the sectors impacted and most common violations fined and how they compare to other European countries.”

Related stories
Data breaches can hit mental health, legal firm claims
Ambulance chasing lawyers bolster attack against BA
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
Google hit for €50m as French issue first GDPR fine
Let battle commence: first GDPR complaints are filed
EU chief predicts first GDPR rulings before year-end