France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over €51m, €24.5 million and €18 million respectively.

The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.

The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for a data breach.

Following two high profile data breaches, the Information Commissioner’s Office published two notices of intent to impose fines in July 2019 totalling £282 million (approximately €329 million / $366 million) although neither have been finalised.

Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12 per cent compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”

Download the report