The new data protection landscape ushered in by GDPR has begun to take shape over the last 18 months. By the end of 2019 there was an average of 278 notifications a day to the regulatory authorities in all of the countries.
“While the UK ranked third in the total number of breach notifications, with 22,181 reports since May 2018, this translated to a relative ranking of 13th for data breach notifications per 100,000 people. The Netherlands ranked first in this category, closely followed by Ireland, which could be explained by the fact that the headquarters of many companies are registered in these nations for tax purposes, and whose data protection authorities will be called upon to lead investigations.”
However the Irish authorities have actually collected no fines at all since they start of GDPR. They do have 15 major investigations in progress, 10 of which relate to breaches by Facebook.
This does illustrate a worrying development, that the national data protection authorities do not have the resources to properly investigate and police data breaches.
The two biggest fines announced so far have been issued by the UK’s Information Commissioner’s Office (ICO); £183M to IAG the parent company of British Airways for the hacking of their booking system and £99M to Marriott Hotel group over the data loss from their systems. Naturally both companies are in dispute with ICO over the scale of the fines and ICO have now deferred decision making until at least the end of March 2020. This is the sign that ICO’s £2m legal services budget is not sufficient to match the considerable legal representation that large global enterprises can organise. 
Nevertheless the fines levied throughout Europe now exceed €100M, with the €50M Google fine in France being the largest to date.