The financial services sector has incurred the greatest number of fines of any industry in Europe on due to breaches of the European Union’s General Data Protection Regulation (GDPR) data-protection rules.

The GDPR rules came into force on May 18th, 2018, and to date have led to 68 fines across 20 European countries, with the Czech Republic, Germany and Hungary accounting for the most fines at nine each. Belgium, Greece, Italy, Lithuania, Malta, Netherlands, Portugal and Sweden have issued only one fine each.

On a sector basis, finance led the way with 11 fines. The professional services sector was second with seven fines, followed by the public sector with five. Healthcare, hospitality, technology and telecommunications received four fines each.

The majority of the fines issued were for breaches related to the processing of personal data, with 41 penalties. Some 23 were issued for the lawfulness of processing data, and three for the rules covering the notification of a breach to supervisory authorities. One fine was issued for the communication of a personal data breach to the subject.

Fifteen companies were fined an average of €21 million under the rules covering the security of data processing.

Individuals fined

Although people may associate GDPR with companies, four fines were administered to private citizens.

Analysis of the fines by financial consultancy firm Mazars also showed that Ireland was among eight countries that have yet to levy fines, along with Croatia, Estonia, Finland, Luxemburg, Switzerland, Slovakia and Slovenia. However, ongoing investigations in Ireland are expected to results in penalties in the near future.

“What we can understand from examining the industries in which fines are being directed is that no organisation is exempt from the reach of the supervisory authorities – even private citizens are being subjected to fines for noncompliance,” said Liam McKenna, partner with Mazars Ireland.

“Our analysis shows that issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities. With the Irish Data Protection Commissioner set to administer fines in the future, it will be interesting to note the sectors impacted and most common violations fined and how they compare to other European countries.”