Security requirements regularly enforced
From our data, it is apparent that security provisions of the GDPR are among those regularly cited by European DPAs as the legal basis for regulatory action and enforcement.
Specifically, the Article 32 provisions on security of processing have been invoked by regulators on over 31 occasions since March 2019. The total of fines issued corresponding to Article 32 exceeds any other article of the GDPR. The average value of a fine under Article 32 amounts to €24.3 million. This is higher than the average value of fines invoked under Article 5(1)(f) – €654,630. Article 5(1)(f) sets out one of the core principles relating to processing of personal data under the GDPR, with it requiring personal data to be processed in a manner that ensures appropriate security of the personal data.
Our findings highlight the regularity with which European DPAs will scrutinise data security matters and their willingness to enforce against non-compliance, including through issuing substantial penalties.
Further analysis highlights that failings by organisations to meet their obligations on notifying personal data breaches led to fines totalling nearly €8m being issued by European DPAs between March 2019 and May 2020. This is a warning to companies that compliance with the notification requirements for personal data breaches will be taken seriously and that DPAs are willing to impose fines as both an incentive and deterrent to organisations to ensure that compliance is normalised.