Written by

Bernard Marr

Bernard Marr is a world-renowned futurist, influencer and thought leader in the fields of business and technology, with a passion for using technology for the good of humanity. He is a best-selling author of 20 books, writes a regular column for Forbes and advises and coaches many of the world’s best-known organisations. He has over 2 million social media followers, 1 million newsletter subscribers and was ranked by LinkedIn as one of the top 5 business influencers in the world and the No 1 influencer in the UK.

Bernard’s latest book is ‘Business Trends in Practice: The 25+ Trends That Are Redefining Organisations’

View Latest Book

Bernard Marr ist ein weltbekannter Futurist, Influencer und Vordenker in den Bereichen Wirtschaft und Technologie mit einer Leidenschaft für den Einsatz von Technologie zum Wohle der Menschheit. Er ist Bestsellerautor von 20 Büchern, schreibt eine regelmäßige Kolumne für Forbes und berät und coacht viele der weltweit bekanntesten Organisationen. Er hat über 2 Millionen Social-Media-Follower, 1 Million Newsletter-Abonnenten und wurde von LinkedIn als einer der Top-5-Business-Influencer der Welt und von Xing als Top Mind 2021 ausgezeichnet.

Bernards neueste Bücher sind ‘Künstliche Intelligenz im Unternehmen: Innovative Anwendungen in 50 Erfolgreichen Unternehmen’

View Latest Book

GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been)

2 July 2021

Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who experience a significant data breach won’t just be dealing with a public relations snafu and financial strain brought on by the breach, but will also face large fines mandated by the regulation. To get a sense for what the GDPR means for companies, we will review a few of the world’s largest data breaches and the implications if GDPR penalties would have been in place at the time of the breach.    

GDPR Overview

The European Parliament approved the GDPR in 2016 with the intent of consolidating data privacy laws across Europe and to protect EU citizens’ privacy in an increasingly data-driven world. The GDPR covers ALL companies who process the personal data of those in the EU regardless of where the company is located. In addition, penalties for a breach are serious for both data controllers and processors. Companies must use clear language to obtain authorization from an individual to use their data. No smoke and mirrors or confusing legalese is allowed. Companies must also notify individuals that their data was potentially compromised within 72 hours of realising a data breach occurred; data processors are also required to notify their customers “without undue delay.” Additional requirements make it easier for individuals to learn how their data is going to be used and processed, request data erasure and receive the personal data that organisations collect.  

And then there are the substantial fines and penalties mandated by GDPR for non-compliance with the regulation. There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater. It is expected that breaches of data subjects’ rights will result in the higher level fine, although many factors will help determine the actual fine including the duration and gravity of the infringement and the types of personal data affected. The level of cooperation and behaviour of the organisation will also play a role in influencing the final fines.

Data Breaches and the Impact of GDPR

Let’s take a look at some of the largest data breaches that have occurred and use them to illustrate how GDPR would have impacted the companies if it had been in effect at the time of the breach. 


At the time that 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Not only was the scope significant, the company didn’t disclose the breadth of the breach within 72 hours like the GDPR requires; in fact, it took them until October 2017 to fully acknowledge the extent of multiple breaches that occurred in 2013-2014. With revenue in excess of $4 billion for 2012, Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$80 million but potentially as much as $160 million depending on the variable factors of GDPR including the culpability of the company and how cooperative they were.


Even though the time between eBay discovering its data breach that impacted 145 million eBay users in 2014 and notification to consumers was relatively short—the breach was discovered in early May, but the company notified its users later in the month—it still wasn’t within the 72-hour requirement of GDPR. Although names, addresses, date of birth and passwords were compromised, the financial information remained secure. At the time, the company was criticised for the lack of communication and trouble with its password-renewal process, but ultimately, since the financial info wasn’t compromised, it could mean the fines would have been lower. It’s turnover for 2013 was $6.6 billion, so they wouldn’t have qualified for the lower 10 or 20 million pounds fine.


As one of the largest cyberattacks of 2017 (that we know of so far), the personal information of 143 million consumers was compromised and an additional 209,000 also had their credit card data exposed when a breach was discovered in July. The company failed to meet the 72-hour notification requirement of the GDPR when they made the breach public in September. They did launch a website so consumers could cheque if their data had been compromised and offered credit monitoring for all U.S. Consumers, so they may have received high marks for their cooperation and action post breach; however, they would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016.

As these examples illustrate, companies will face grave consequences and fines when data breaches occur when GDPR goes into effect. The regulations are strict and all companies doing business in or with citizens of the EU need to be sure they have processes in place to meet the GDPR requirements now.

Business Trends In Practice | Bernard Marr
Business Trends In Practice | Bernard Marr

Related Articles

9 Steps You Can Take to Help Save the Planet | Bernard Marr

9 Steps You Can Take to Help Save the Planet

Caring for our natural world is everyone’s responsibility. The good news is that taking action to reduce your impact doesn’t have to be difficult or expensive[...]

The 5 Biggest Cloud Computing Trends In 2022 | Bernard Marr

The 5 Biggest Cloud Computing Trends In 2022

During 2020 and 2021, cloud computing exploded as work went virtual and businesses adapted to the global pandemic by focusing[...]

AI And Data At Dow Jones Why Humans Are The Machine Behind AI | Bernard Marr

AI And Data At Dow Jones: Why Humans Are The Machine Behind AI

Machines are getting better and better at doing jobs that traditionally could only be done by humans. Largely this is thanks to advances in[...]

What Is DNA Data Storage | Bernard Marr

What Is DNA Data Storage?

Experts predict accumulated global data will reach 175 billion trillion bytes by 2025. Could DNA synthesis be the[...]

Why Businesses Need Data To Make Better Decisions | Bernard Marr

Why Businesses Need Data To Make Better Decisions

In just about every area of life, we are increasingly generating ever-larger volumes of data, and one of the most valuable uses businesses are finding[...]

How Smart Products Help Companies Profit From Data | Bernard Marr

How Smart Products Help Companies Profit From Data

Smart and connected devices have permanently changed the way we live, work and play. Many of us feel we aren't complete without our smartphones nearby[...]

Stay up-to-date

  • Get updates straight to your inbox
  • Join my 1 million newsletter subscribers
  • Never miss any new content

Social Media



View Podcasts