One fine issued for every 395 data breach investigations, research reveals

New research has revealed that only 0.25% of reported data breaches have led to monetary punishments under GDPR.

Research conducted by security platform, revealed that out of 11,468 self-reported data breach investigated by the ICO between May 25, 2018 and the end of March 2019, only 29 GDPR penalties were handed out. Therefore only one of every 395 data breach investigations were issued fines. Although many of these fines were issued for data breaches occurring before the new GDPR came into effect.

It was also found that since GDPR came into place 37,798 data protection concerns were raised by members of the public. In addition the researched revealed that the health and education sectors were two of the most common sectors for data breach investigation.

Julian Ranger, founder of said:

“There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.

“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.