When the GDPR came into effect on May 25th, 2018, it was clear that significant fines were designed to make non-compliance a costly mistake for organisations.
However, it was unclear if the supervisory authorities would use the full extent of their power when administering their fines. In fact, there was reassurance when in August 2017, The UK’s Information Commissioner Elizabeth Denham stated:
“The law is not about fines. It’s about putting the consumer and citizen first. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
What we have learned since then is that fines for non-compliance with the GDPR can be significant and that some supervisory authorities may, in fact, be favouring the stick to the carrot.
Now that there has been a significant cohort of fines we have been able to conduct an analysis of the fines to obtain a better understanding of what articles of the GDPR have resulted in the most fines, where the fines are occurring, and what is the cost of non-compliance.