Organisations received £155 million in GDPR fines in 2020

In 2020, organisations received €182 million (about £155 million) in fines for violating the GDPR (General Data Protection Regulation), according to an IT Governance report.

Our GDPR Fines Quarterly Report revealed that more than two thirds of that total – €110 million (£94 million) – came in the final quarter of the year.

The surge is most likely tied to COVID-19. It takes several months to thoroughly investigate a GDPR breach, which means that many of the penalties issued between October and December 2020 occurred at the start of the pandemic.

Many organisations have struggled to meet their compliance requirements in lockdown, with IT and security teams scrambling to accommodate the needs for remote workers.

Who are the worst offenders?

There were at least 92 GDPR fines in Q4 2020, with more than a quarter of them coming from Spain.

Its National Data Protection Authority has also been the most active throughout 2020, issuing 131 fines across the year.

Meanwhile, the UK has the highest average fine – €11 million (£9.4 million) – although this is skewed by two large penalties.

British Airways was fined £20 million after cyber criminals compromised its systems, and Marriott International was fined £18.4 million for failing to address a vulnerability in its booking system.

Although these are among the largest penalties recorded under the GDPR, they were both reduced significantly upon appeal. British Airways was initially set to receive a £184 million fine and Marriot £99.3 million.

As such, the €50 million (£44 million) fine that Google received from France’s CNIL in 2019 remains the largest GDPR fine.

Where are organisations failing?

According to the report, 51% of fines involved breaches of Article 5, which states that personal data must be:

  • Processed lawfully, fairly and transparently;
  • Collected only for specific legitimate purposes;
  • Adequate and, where necessary, up to date;
  • Stored only as long as necessary; and
  • Processed in a way that ensures appropriate security.

The next most common violation involved the failure to document a lawful basis for processing, which is covered in Article 6 of the GDPR.

The other major contributor to GDPR fines was organisations’ failure to meet Article 32, which states that data controllers and processors must “implement appropriate technical and organisational measures” to secure the personal data they process.

To comply with Article 32, organisations must identify and mitigate risks that are presented by data processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”.

Find out more by reading our report

You can download our latest GDPR Fines Quarterly Report for free to find out more about the effects that the Regulation has had.

The report looks back at 2020 as a whole, and reviews figures from the final quarter of the year. It covers:

  • The number of GDPR fines issued per country, by month; 
  • The value of the fines issued, by month; 
  • The most common types of breach that resulted in fines; 
  • A breakdown of GDPR fines per country; and 
  • Information about the organisations that have been fined.