Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

Half way through 2019, is GDPR growing teeth?

Data protection authorities across Europe are extremely busy trying to protect the rights and freedoms of individuals whilst dealing with a massive number of breach notifications – the European Data Protection Board says there were more than 200,000 referrals in the first year of GDPR enforcement. With this many breach notifications in Europe, we’re seeing a growing level of enforcement.

So far, data from the GDPR Enforcement Tracker shows the financial penalties of non-compliance have ranged from small fines of just over £100 to more than £100 million. In total, authorities have issued £50 million pounds in fines, with more than £280 million pending issue. The scale of some of these fines shows data protection authorities are ready to bite when needed, but are there any trends in what they’re fining organisations for?

Four of the five biggest GDPR fines relate to Article 32

Article 32 violations vary widely, from lack of pseudonymisation and access controls to inadequate vulnerability scanning, patching and testing. That means any breaches caused by cyber-attacks would be highly visible to the public and taken very seriously. And if the data ends up in the hands of a hacker, people could be subject to fraud, identity theft, blackmail and other crimes – it’s virtually impossible to monitor what happens to the data after it’s stolen.

From a data protection authority view, it’s easy to understand why an Article 32 breach warrants a heavy financial penalty. In fact, four of the five biggest GDPR fines relate to infringements of Article 32, totalling £284 million. The Article’s focus on securing personal data is core to maintaining many of the other rights specified within GDPR. After all, hackers don’t do erasure requests.

What is Article 32?

Article 32 sets out a series of legally binding requirements for securely handling an individual’s data. Many of these were already best practice, but the fact they’re now mandatory means organisations need to pay closer attention.

Article 32 pushes Data Protection Officers into the world of the Chief Information Security Officer and gives practical advice as to what is acceptable in the eyes of a data protection authority. As a minimum to comply with Article 32:

  • personal data should be pseudonymised or anonymised and encrypted where possible
  • organisations should ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • organisations should be able to restore the availability and access to personal data in a timely manner in the event of disaster or incident
  • a robust process should be in place for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?

Read more

Ensuring Article 32 compliance could save millions

Whilst assessing how to comply with Article 32, organisations must account for the risks in processing. This includes accidental or unlawful destruction, loss, alteration and unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This can be particularly difficult for organisations to asses during mergers, acquisitions and organisational transformation projects. There must be elevated levels of due diligence to uphold individuals’ rights in these fast-changing environments.

Whatever the nature or cause of the data leak, events this year have provided a wakeup call for organisations to look again at their data privacy. Most organisations made sure they were compliant on 25 May last year, but data privacy is an ongoing obligation. As changes happen constantly across organisations and third-parties, they must reassess where they hold data, ensure they have the right controls in place and stress-test everything. And should engage their workforce, communicating the perils of non-compliant behavior, poor practices and negligence. For example, we worked with a multinational pharmaceutical company to ensure they had programme management practices that could reflect evolving GDPR guidance.

They must also plan for the worst. It’s difficult to accurately assess breach impact quickly but having the plans in place to get an early understand of who’s been affected and sending the right communications will be pivotal to how data protection authorities view GDPR breaches. Considering recent fines by the ICO, taking the right actions now could save millions.

Contact the author

Contact the data privacy team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.