Regulatory activity under the European Union’s General Data Protection Regulation certainly increased during 2019, but not quite to the ‘mega-fine’ degree that was expected. The most notable outcome from a year with the GDPR was instead the considerable variance in penalties issued by different regulators throughout the bloc.

This is the key finding from insurer Beazley’s latest Breach Insights Report, which analyses the actions of data protection regulators across the EU and the impact on organisations which, while based elsewhere, are still subject to the rules through their business structure or customer base.

Fines handed out by the Information Commissioner’s Office in the UK have been rare compared with those issued by other European regulators, which have been considerably more active, with Belgium, Bulgaria, France, Germany, Greece, Hungary, Italy, Lithuania, Netherlands, Norway, Poland, Romania, Spain and Sweden particularly active.

Head of Beazley Breach Response Services, Katherine Keefe commented: “The extraterritorial provisions within the GDPR means organisations in the US and other non-EU territories may be subject to the GDPR due to having either customers or offices in countries subject to the rules.

“It is, therefore, all the more important that they track the enforcement developments to understand how they could be affected. Knowing how to manage and report a cyber breach helps organisations to both prevent and recover from an incident and avoid a sizeable fine if the breach is mishandled.”

Share Story: