France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over €51m, €24.5 million and €18 million respectively.

Weighting the results against country populations, Ireland reported 132.52 breaches per 100,000 people, ranking Ireland with the second highest level of notifications per capita.

The Netherlands again come top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark.

Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1,886 data breach notifications, illustrating the cultural differences in approach to breach notification.

The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for a data breach.

Following two high-profile data breaches, the Information Commissioner’s Office in the UK published two notices of intent to impose fines in July 2019 totalling £282 million (approximately €329 million/$366 million) although neither have been finalised.

Commenting on the report, John Magee, IP and technology partner at DLA Piper Ireland, said: “GDPR has driven the issue of data breach well and truly into the open.

“The rate of breach notification has increased by over 12 per cent compared to last year’s report and it is no surprise to see Ireland — a strategic global hub for data-rich businesses across many sectors — once again ranked highly on number of breach notifications.

“The total amount of fines of €102.5 million imposed to date is relatively low compared with the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement.

“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers.

“We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years.”

Download the report