Numbers and statistics: data and cyber breaches under the General Data Protection RegulationZahlen und Statistiken: Datenschutz- und Cybersicherheitsverletzungen im Rahmen der Datenschutz-Grundverordnung

Since the General Data Protection Regulation (GDPR) became effective in 2018, enforcement has been at the core of protecting personal data in the European Union (EU). The EU data protection authorities have imposed fines for various types of GDPR breach, and have targeted organisations in multiple sectors, including consumer, technology, media and telecom (TMT), healthcare and industry. The frequency and size of these fines have increased annually, and it is clear that the EU Data Protection Authorities (DPAs) are increasingly cracking down on non-compliance. This article focusses on the fines imposed for breaches of article 32 GDPR, which deals with security of data processing. Article 32 requires organisations to have sufficient technical and organisational measures (TOM) in place to protect them from data breaches, cyber breaches and data security incidents, both internally and externally. As of the end of June 2021, about one fifth of all GDPR fines were imposed for article 32 infringements.