[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

GDPR results in €56m worth of fines

General Data Protection Regulation (GDPR) has resulted in €56m (£49m) worth of fines since it came into force last May, insurance broker Marsh has revealed.

GDPR results in a "striking" diversity of fines ©iStock
GDPR results in a "striking" diversity of fines ©iStock

In a new report, Marsh highlighted how regulators had brought forward more than 200,000 cases in 31 countries in the first nine months GDPR was in effect.

And thousands of fines are currently pending, with Marsh highlighting how the regulation’s broad scope has resulted in a “striking” diversity of enforcement actions.

Some cases have involved traditional data privacy concerns, but companies have also been penalised for less conventional reasons, such as excessive use of security cameras.

However, no penalties have yet come close to the much-discussed maximum fine of €20m or 4% of annual revenue, whichever is greater.

"But companies can expect data protection authorities to be aggressive with their sanction powers, which are entirely new for some EU members," Marsh said.

“The convergence of GDPR and other data privacy regulation with evolving technology will challenge businesses’ ability to foster technology while protecting privacy.”

GDPR is designed to give better protection for citizens by harmonising data privacy laws across Europe, and applies to all companies that do business in the EU.

However, the regulation has also prompted many nations outside Europe to introduce data privacy rules of their own, such as Brazil, India, Japan, Thailand and the US.

A consequence of this is that more businesses are keeping personal data stored on devices or servers that are physically present in the territory where the data was generated.

Large firms have discovered that transferring data outside Europe can prompt EU regulators to scrutinise the receiving jurisdiction’s protection standards.

Marsh also said businesses should expect the EU to focus on artificial intelligence’s processing of data, particularly when it distinguishes people based on race, gender or political beliefs.

“The combination of these factors creates the potential for a hydra-like cyber risk for businesses,” March said.

“Risk professionals should prepare for the potential pitfalls that lie ahead by consulting with their advisors and insurance brokers about evolving regulatory standards and changing technology, and adopting insurance policy terms and conditions to address their organisations’ widening exposures.”

Sign up to our free newsletter here and receive a weekly roundup of news concerning the actuarial profession