Written by

Bernard Marr

Bernard Marr is a world-renowned futurist, influencer and thought leader in the fields of business and technology, with a passion for using technology for the good of humanity. He is a best-selling author of 20 books, writes a regular column for Forbes and advises and coaches many of the world’s best-known organisations. He has over 2 million social media followers, 1 million newsletter subscribers and was ranked by LinkedIn as one of the top 5 business influencers in the world and the No 1 influencer in the UK.

Bernard’s latest book is ‘Business Trends in Practice: The 25+ Trends That Are Redefining Organisations’

View Latest Book

GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been)

2 July 2021

Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who experience a significant data breach won’t just be dealing with a public relations snafu and financial strain brought on by the breach, but will also face large fines mandated by the regulation. To get a sense for what the GDPR means for companies, we will review a few of the world’s largest data breaches and the implications if GDPR penalties would have been in place at the time of the breach.    

GDPR Overview

The European Parliament approved the GDPR in 2016 with the intent of consolidating data privacy laws across Europe and to protect EU citizens’ privacy in an increasingly data-driven world. The GDPR covers ALL companies who process the personal data of those in the EU regardless of where the company is located. In addition, penalties for a breach are serious for both data controllers and processors. Companies must use clear language to obtain authorization from an individual to use their data. No smoke and mirrors or confusing legalese is allowed. Companies must also notify individuals that their data was potentially compromised within 72 hours of realising a data breach occurred; data processors are also required to notify their customers “without undue delay.” Additional requirements make it easier for individuals to learn how their data is going to be used and processed, request data erasure and receive the personal data that organisations collect.  

And then there are the substantial fines and penalties mandated by GDPR for non-compliance with the regulation. There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater. It is expected that breaches of data subjects’ rights will result in the higher level fine, although many factors will help determine the actual fine including the duration and gravity of the infringement and the types of personal data affected. The level of cooperation and behaviour of the organisation will also play a role in influencing the final fines.

Data Breaches and the Impact of GDPR

Let’s take a look at some of the largest data breaches that have occurred and use them to illustrate how GDPR would have impacted the companies if it had been in effect at the time of the breach. 


At the time that 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Not only was the scope significant, the company didn’t disclose the breadth of the breach within 72 hours like the GDPR requires; in fact, it took them until October 2017 to fully acknowledge the extent of multiple breaches that occurred in 2013-2014. With revenue in excess of $4 billion for 2012, Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$80 million but potentially as much as $160 million depending on the variable factors of GDPR including the culpability of the company and how cooperative they were.


Even though the time between eBay discovering its data breach that impacted 145 million eBay users in 2014 and notification to consumers was relatively short—the breach was discovered in early May, but the company notified its users later in the month—it still wasn’t within the 72-hour requirement of GDPR. Although names, addresses, date of birth and passwords were compromised, the financial information remained secure. At the time, the company was criticised for the lack of communication and trouble with its password-renewal process, but ultimately, since the financial info wasn’t compromised, it could mean the fines would have been lower. It’s turnover for 2013 was $6.6 billion, so they wouldn’t have qualified for the lower 10 or 20 million pounds fine.


As one of the largest cyberattacks of 2017 (that we know of so far), the personal information of 143 million consumers was compromised and an additional 209,000 also had their credit card data exposed when a breach was discovered in July. The company failed to meet the 72-hour notification requirement of the GDPR when they made the breach public in September. They did launch a website so consumers could cheque if their data had been compromised and offered credit monitoring for all U.S. Consumers, so they may have received high marks for their cooperation and action post breach; however, they would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016.

As these examples illustrate, companies will face grave consequences and fines when data breaches occur when GDPR goes into effect. The regulations are strict and all companies doing business in or with citizens of the EU need to be sure they have processes in place to meet the GDPR requirements now.

Data Strategy Book | Bernard Marr

Related Articles

3 Key Ways to Monetize Your Data | Bernard Marr

3 Key Ways to Monetize Your Data

I’ve written a book on data strategy, and one of my primary jobs is guiding businesses through the process of using their data effectively. [...]

The Future of Quantum Computing | Bernard Marr

The Future of Quantum Computing

A Chinese team of researchers has recently unveiled the world’s most powerful quantum computer [...]

How Facebook Is Using Artificial Intelligence

Every day, nearly 2.5 billion people log in to one of the [...]

Amazon: Using Big Data to understand customers

Amazon has thrived by adopting an “everything under one [...]

BMW And Parkmobile: Big Data And IoT To Change The Way We Park Our Cars

Learning to live with, let alone prosper from, the [...]

Paris Hospitals: Big Data in Healthcare

At four of the hospitals which make up the Assistance Publique-Hôpitaux [...]

Stay up-to-date

  • Get updates straight to your inbox
  • Join my 1 million newsletter subscribers
  • Never miss any new content

Social Media



View Podcasts