Analysis reveals two key reasons behind 70% of GDPR breach fines


New analysis from Exonar has revealed that organisations across Europe have suffered GDPR fines to the tune of £313m* for two key reasons:

1. Failing to have appropriate security in place

2. Storing unsecured data.

So far 50 GDPR penalties totalling £482m* have been issued under GDPR, with the vast majority (almost 65%) down to these two key issues. To see at a glance how the fines break down, scroll down to see our Infographic below.

Exonar’s analysis shows that 39% of GDPR related fines were the result of insufficient security, with affected companies including British Airways, Active Assurances and DSK Bank. These fines have totalled £188,865,900 to date. (As at 16th October 2020, the ICO reduced British Airways fine to £20m, a reduction of £163m from the original fine.) 

Unsecured and over-retained data was responsible for 26% of GDPR breach penalties totalling £123,663,350, from high-profile organisations such as Marriott, as well as Deutsche Wohnen and 1&1 Telecom. (Marriott's fine was similarly reduced by the ICO to £18.4m, an 81% reduction.)

Unlawful use of personally identifiable information (PII) and failure to comply with Data Subject Access Requests (DSAR), such as in the case of Vodafone and Google, was responsible for 19% of fines totalling £92,055,300. The remaining 16% totalled £77,135,050 and comprised a range of issues, such as Uber’s failure to report a breach fast enough, Unicredit’s incorrect sharing of data and H&M’s massive £32m fine this month for unlawful use of employee data.

Nearly 65% of GDPR fines were caused because of insufficient security and storing unsecured data. Securing your data first can play a vital role in not only meeting GDPR standards but also help mitigate the risk of the insufficient security - as it will be harder for hackers to access any data in the event of a breach.”

“Many organisations simply don’t know what data they’ve got, or how much over-retained data they hold because it is no longer visible. Dark data like this is a point of weakness in any organisation – and in order to fully secure the data, organisations need to first get a clear understanding of what data they hold.”

Danny Reeves, CEO, Exonar

* This is the original fine total. Since then, two major fines for BA and Marriott have been massively reduced as of October 2020.