1st edition 2020
All EU Member States have been required to apply the General Data Protection Regulation ("GDPR", Regulation (EU) 2016/679) since 25 May 2018. After a cautious initial period, the EU data protection authorities ("DPA") have increased their fining activity significantly. This GDPR Enforcement Tracker Report aims to provide you with valuable insights into the fining activities of all EU DPAs under the GDPR, as well as the ICO's practice in the United Kingdom. Our analysis is based on the publicly available data on fines that we collect and compile at www.enforcementtracker.com. We intend to publish annual editions of this report, and we expect that the relevance of insights will steadily increase as more data on fines becomes available.
Overview, country and sector approach
In search of guidance on how to optimise its own data protection strategy and prioritise data protection measures, a company will naturally want to look at its peers and the competent authorities' practice. This holds true both in terms of business sectors and jurisdiction. Kicking off with an overall summary on the existing fines ("Numbers and Figures"), we have correspondingly divided the fines into the following business sectors and considered the respective fines' origins:
- Finance, insurance and consulting
- Accommodation and hospitality
- Health care
- Industry, commerce and real estate
- Media, telecoms and broadcasting
- Public sector
- Transportation and energy
- Individuals and private associations
The in-depth analysis permits first conclusions to be drawn as to which business sectors attracted particularly hefty fines. We have also analysed the DPAs' reasonings for the fines. These aspects together allow us to provide you with key takeaways for each business sector. Apart from the lawfulness of each data processing operation, bolstering data security should remain in the spotlight for every organisation. Litigation in data protection is set to increase in the near future. Organisations that maintain up-to-date security measures will be best prepared for the future and for potential litigation.