Over four years after the implementation of GDPR across Europe, three clear leaders have emerged in terms of the numbers of fines issued for breaches of Articles 32, 33 and 34. According to the GDPR Enforcement Tracker website, the most prolific regulators are:
- Romania – 47 fines
- Italy – 32 fines
- Spain – 32 fines
There is then a significant gap before a cluster of countries consisting of Norway, France, Sweden and Denmark. Interestingly, the major economies of the UK and Germany come in 9th and 11th respectively. Overall, the rate of issuing fines has increased somewhat, with as many fines issues in the last 18 months as were awarded in the first three years of implementation. 26 countries have now awarded at least one fine for a breach of Articles 32, 33 or 34.
As stated above, the Information Commissioner’s Office in the UK has been relatively restrained, only issuing nine fines so far. There have, however, been a couple of noteworthy incidents in the last year; both involving the public sector.
In late 2021, the ICO fined the UK Government Cabinet Office £500 000 for publishing the names and addresses of recipients in the 2020 New Year Honours list. The personal data was available online for a period of two hours and 21 minutes, during which time it was accessed 3,872 times.
Then, in June 2022, the ICO fined the Tavistock & Portman NHS Foundation Trust £78 000 for accidentally revealing the email addresses of patients at the gender identity clinic. This fine was significant because, as part of a trial of a new approach to public sector bodies, it had been reduced from an initial £784 000. The Information Commissioner is not convinced that fining public bodies is an effective deterrent, and is concerned about the effects on service users. The ICO will therefore be making greater use of warnings, reprimands and enforcement notices in all but the most serious cases. As well as reducing the fine on the Tavistock & Portman NHS Foundation Trust, we have also seen a proposed fine of £750 000 on NHS Blood and Transplant Service replaced with a public reprimand.
It will be very interesting to see if the new approach is effective in reducing the incidence of data breaches in the public sector.