The top 10 fines imposed for data breaches in 2019 total more than €400m, new figures show.
The enormous penalties being dished out by regulators to firms who flout GDPR regulations prove regulators are clamping down on business practises, according to online safety firm PreciseSecurity.com.
British Airways incurred the biggest penalty since the new GDPR regulations were introduced last year; it is facing a world record €204.6m fine from the UK’s data protection authority ICO in July after the Magecart group used card skimming to collect the personal and payment information of up to half a million of the airline’s customers.
The second highest data breach penalty is one of €204.6m, which is the fine facing American multinational company Marriott International. This follows a cyber incident notified to the ICO by Marriott, which caused exposure of approximately 339 million guest records, of which 30 million connected to residents of 31 European countries and another seven million to UK citizens.
Google ranked third on the list of the highest data breach penalties in 2019 after incurring a €50m fine. The fine imposed by France’s data protection regulator, CNIL, was issued because Google failed to provide enough information to users about its data consent policies. The tech giant also didn’t give them enough control in using their information.
These three incidents will amount to data breach penalties of €365m in 2019 – nine times as much as the fines levied against the rest of the top 10.
Overall, since the new GDPR regulations came into play in May 2018, European data protection authorities have received more than 90,000 data breach notifications.
When such a breach occurs – if personal data held by the company is inadvertently revealed to a third party – the firm in question is required to notify their national data protection agency within 72 hours of learning of the errors.
Depending on the seriousness of the breach, companies can be fined up to 4% of their annual turnover.