Mazars analysis shows that the finance sector has received the most GDPR fines to date

Audit, accountancy and advisory firm Mazars have published an analysis showing that of the GDPR fines administered to date across Europe, the finance sector has received 11 fines, significantly more than any other industry. The majority of these fines were administered for breaches related to the processing of personal data.

The analysis also shows that of the 28 European countries with supervisory authorities examined, 8 countries have yet to administer fines. The countries include Croatia, Estonia, Finland, Ireland, Luxemburg Switzerland, Slovakia and Slovenia. However, penalties related to ongoing Irish investigations are expected in the near future.

Since the introduction of GDPR in May 2018, there have been a total of 68 fines across 20 European countries with supervisory authorities. The Czech Republic, Germany and Hungary have administered the most fines with 9 each. The analysis showed that 40% of the countries that had issued fines had administered only 1 fine – these being Belgium, Greece, Italy, Lithuania, Malta, Netherlands, Portugal and Sweden.

Of the fines administered, the finance sector received 11 fines, significantly more than any other. This was followed by professional services with 7, followed by the public sector with 5 and healthcare, hospitality, technology and telecommunications, all of which received 4 fines each. Interestingly 4 fines were administered to private citizens and a large cohort of fines (17) could not be categorised by sector as their details were not publically available.

The Mazars analysis shows that most fines (41) were administered for violations of Article 5 – ‘Principles relating to the processing of personal data’ followed by 23 fines for breach of Article 6 – ‘Lawfulness of processing’. It is also noteworthy that 3 fines have been administered for Articles 33 ‘Notification of a personal data breach to the supervisory authority’ and 1 for Article 34 ‘Communication of a personal data breach to the data subject’. This highlights that while an organisation may implement strong controls to protect personal data in the event of a security incident, which may prevent them from being fined, organisations may still be liable for fines if they fail to follow protocol about a notification.

Of note were the average fine amounts administered for each article. While the most number of fines (41) were noted for Article 5 ‘Principles relating to the processing of personal data’, the average fine administered was €.34m. This contrasts with breaches of Article 32 ‘Security of data processing’ with 15 companies fined on average a staggering €21m.

A total of 3 organisations in breach of Article 14 ‘Information to be provided where personal data have not been obtained from the subject’ received an average fine of €4.2m. The analysis also showed that 23 organisations were fined on average €.55m for breach of Article 6 ‘Lawfulness of processing. Finally, 7 fines were administered for breaches of Article 13 ‘The right to be informed’ with an average penalty of €1.8m.

Commenting on the analysis, Liam McKenna, Partner with Mazars Ireland stated; “What we can understand from examining the industries in which fines are being directed is that no organisation is exempt from the reach of the supervisory authorities, even private citizens are being subjected to fines for noncompliance.

“GOur analysis shows that issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities. With the Irish Data Protection Commissioner set to administer fines in the future, it will be interesting to note the sectors impacted and most common violations fined and how they compare to other European countries.”