Top 10 GDPR breaches of 2019 – cost £345m in fines

Top 10 GDPR breaches of 2019 – cost £345m in fines

According to the European Data Protection Board, 281,088 cases were logged by supervisory authorities in the first year of the GDPR’s application.

Of these cases, 144,376 related to complaints and 89,271 related to data breach notifications by data controllers.

As of September 2019, the EU’s supervisory authorities have issued, or announced their intention to issue, fines totalling approximately €372,120,990.50. (The figure is approximate owing to fluctuations in currency values.)


The ten most serious GDPR breaches this year led to a total £345m in fines, with the three highest penalties making up almost 90% of the total. This is according to research from, which is warning organisations to protect consumer information to the letter.

Setting the tone for future penalties, the Information Commissioner’s Office in July of this year announced its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation, following a cyber incident notified by the airline in September 2018 that affected the personal and payment information of up to half a million BA customers.

The following week, the ICO announced that Marriott International may be looking at a fine of over £99m for infringements of the new data rules, in an incident that exposed around 339 million guest records, and putting an end to any doubt around how seriously the watchdog is taking the issue of data privacy.

And with £44m in fines, Google ranked third on the list of the highest data breach penalties in 2019, a penalty imposed by France’s data protection regulator, CNIL following the tech giant’s failure to provide enough information to users about its data consent policies.

Since May 2018, all the European data protection authorities have received a combined 90,000 breach notifications.


DirectCloud Backup 

Top 10 GDPR breaches of 2019 – cost £345m in fines

(Graph based on data from, the European Data Protection Board and individual supervisory authorities’ websites. Note that the ICO’s intended fines for Marriott International, Inc. and British Airways are included.)