Nearly 60,000 data breaches reported since GDPR

Written by Peter Walker
05/02/19

Over 59,000 data breach notifications have been reported across the European Economic Area by public and private organisations since the General Data Protection Regulation (GDPR) came into force last May 2018, according to DLA Piper.

The Netherlands, Germany and the UK topped the table in the report, with approximately 15,400, 12,600, and 10,600 reported breaches respectively. The lowest numbers of reported breaches were made in Liechtenstein, Iceland and Cyprus, with just 15, 25 and 35 reported breaches respectively.

The law firm’s research, based on data from the European Commission covering personal data breach notifications for regulators up until 25 January, found that the Netherlands - with 89.8 reported breaches per 100,000 people - topped the list when the number of notifications were weighted against country populations.

Of the 26 EEA countries where breach notification data is available, the UK, Germany and France ranked 10th, 11th and 21st respectively on a reported fine per capita basis. Greece, Italy and Romania reported the fewest number of breaches per capita.

Ross McKean, a partner at DLA Piper specialising in cyber and data protection, explained that the GDPR completely changes the compliance risk for organisations which suffer a personal data breach, due to revenue based fines and the potential for US style group litigation claims for compensation.

“As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open.”

To date 91 fines have been reported, although not all of these relate to personal data breach and several relate to other infringements of GDPR.

The highest GDPR fine imposed to date is €50 million, which was made against Google on 21 January 2019. This was a French decision in relation to the processing of personal data for advertising purposes without valid authorisation, rather than a personal data breach.

Sam Millar, a partner at DLA Piper specialising in cyber and large scale investigations, said: "We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals – we can expect more fines to follow over the coming year as the regulators clear the backlog of notifications."