European regulators ‘get 60,000 breach reports’ under GDPR

Tanaonte via iStock

Privacy regulators around Europe have received almost 60,000 reports of data breaches since the introduction of the General Data Protection Regulation (GDPR) in May last year.

This is according to a study by law firm DLA Piper, which found the Netherlands, Germany and the UK were responsible for the most incidents, with 15,400, 12,600, and 10,600 reported breaches respectively.

It observed the volume of reports, which is mainly due to much stricter requirements for businesses to notify authorities quickly of any breaches, means regulators are struggling to keep pace, with most countries dealing with a large backlog.

Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said that GDPR has completely changed the compliance risk for firms that fall victim to data breaches.

"As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breaches out into the open," he continued.

So far, 91 fines have been issued across Europe under the GDPR regime, though not all of these were directly related to personal data breaches. The highest penalty was the €50 million (£44 million) imposed on Google by French regulator CNIL, which regarded the processing of user data for advertising purposes without valid authorisation.
  
The report noted it is still early days for GDPR, with the value of most fines so far relatively low. However, the firm anticipates that 2019 will see more fines reaching tens or even hundreds of millions of euro.

Sam Millar, a partner at DLA Piper specialising in cyber and large scale investigations, added that regulators have just started to "flex their muscles" when it comes to enforcement of GDPR rules, with the fine against Google a particularly landmark moment.

"We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals," he continued. "We can expect more fines to follow over the coming year, as the regulators clear the backlog of notifications."