Analysis reveals two key reasons behind 65% of GDPR fines

Ticketmaster, British Airways and Marriott: New data reveals which businesses received GDPR fines during lockdown

Two key issues – unsecured data and lack of appropriate security – are behind 65% of all GDPR fines issued against European organisations to date, totalling £482m in penalties, according to new research.

New analysis from Exonar has today revealed that organisations across Europe have suffered GDPR fines to the tune of £313m by failing to have appropriate security in place and storing unsecured data. So far 50 penalties totalling £482m* have been issued under GDPR, with the vast majority (almost 65%) down to these two key issues.

Exonar’s analysis shows that 39% of GDPR related fines were the result of insufficient security, with affected companies including British Airways, Active Assurances and DSK Bank. These fines have totalled £188,865,900 to date.

Unsecured and over-retained data was responsible for 26% of fines totalling £123,663,350, from high-profile organisations such as Marriott, as well as Deutsche Wohnen and 1&1 Telecom.

Unlawful use of personally identifiable information (PII) and failure to comply with Data Subject Access Requests (DSAR), such as in the case of Vodafone and Google, was responsible for 19% of fines totalling £92,055,300. The remaining 16% totalled £77,135,050 and comprised a range of issues, such as Uber’s failure to report a breach fast enough, Unicredit’s incorrect sharing of data and H&M’s massive £32m fine this month for unlawful use of employee data.

Exonar’s CEO, Danny Reeves, said: “Nearly 65% of GDPR fines were caused because of insufficient security and storing unsecured data. Securing your data first can play a vital role in not only meeting GDPR standards but also help mitigate the risk of the insufficient security – as it will be harder for hackers to access any data in the event of a breach.”

Reeves continued: “Many organisations simply don’t know what data they’ve got, or how much over-retained data they hold because it is no longer visible. Dark data like this is a point of weakness in any organisation – and in order to fully secure the data, organisations need to first get a clear understanding of what data they hold.”

Source: Exonar