Over the last 12 months, European data protection authorities imposed fines totaling 158.5 million euros ($192 million) under GDPR, which makes for a total of 272.5 million euros ($331 million) in fines levied since the law went into full effect on May 25, 2018, according to DLA Piper's latest GDPR and data breach report. Not all of those GDPR violations involved data breaches.
GDPR includes tough breach-notification rules, often requiring organizations that learn they've been breached to inform relevant authorities, including their national data protection authority, within 72 hours. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or 20 million euros ($24.3 million) - whichever is greater. Organizations can also see their ability to process people's personal data get revoked.
Since GDPR came into full effect, Italy's regulator has imposed the greatest total amount of fines, nearly $85 million, followed by Germany and France, which respectively imposed fines totaling $84 million and $66 million, the law firm says. Post-Brexit, the British government says that under U.K. law, GDPR compliance - together with the country's Data Protection Act 2018 - will continue to be enforced, although it says there will be "technical amendments" added "to ensure it can function in U.K. law." In addition, "the Information Commissioner remains the U.K.'s independent supervisory authority on data protection."