One fine issued for every 395 data breach investigations, research reveals

New research has revealed that only 0.25% of reported data breaches have led to monetary punishments under GDPR.

Research conducted by security platform, revealed that out of 11,468 self-reported data breach investigated by the ICO between May 25, 2018 and the end of March 2019, only 29 GDPR penalties were handed out. Therefore only one of every 395 data breach investigations were issued fines. Although many of these fines were issued for data breaches occurring before the new GDPR came into effect.

It was also found that since GDPR came into place 37,798 data protection concerns were raised by members of the public. In addition the researched revealed that the health and education sectors were two of the most common sectors for data breach investigation.

Julian Ranger, founder of said:

“There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.

“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.