Over 59,000 GDPR data breach notifications, but only 91 fines

Less than 100 GDPR fines have been issued so far (Image gustavofrazao / iStockPhoto)

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

DLA Piper's own analysis has counted 59,430 disclosed data breaches across Europe over the same period, with the Netherlands, Germany and the United Kingdom leading by far in the number of reports. Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.

GDPR requires organizations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches. It also mandates strict security measures for protecting data and fines for violations that can go up to of up to €10 million or 2 percent of the worldwide annual turnover.

GDPR fines

During the analyzed time period, regulators have imposed 91 fines for GDPR violations, but not all of them were related to exposure of personal data, according to DLA Piper's report. For example, the highest one was a recent €50 million fine imposed by the French data protection authority (CNIL) on Google for processing personal data for advertising purposes without obtaining the permission required under GDPR.

In Germany, the regulators imposed a €20,000 fine on a company for failing to protect employee passwords with cryptographic hashes, while in Austria a €4,800 fine was issued for operating an unauthorized CCTV system that partially surveilled a public sidewalk.

Backlog stretching GDPR regulator resources

The number of fines and their value, excluding the one against Google, have been low so far compared to the number of disclosed breaches, but this might because regulators in some countries are still accommodating themselves to the increased supervision and coordination roles they now play.

"Regulators are stretched and have a large backlog of notified breaches in their inboxes," the DLA Piper researchers said in their report. "Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified."

Data suggests that under the risk of high sanctions, many companies have prepared themselves to comply with GDPR's breach notification requirements. However, significant discrepancies can still be observed among different countries and cultures.

For example, when correlating the number of data breach notifications to population size, the Netherlands, Ireland and Denmark come in top three positions, while Germany and the UK fall to tenth and eleventh. Romania, Italy and Greece have the smallest ratio of data breach notifications per 100,000 people, with 1.2, 0.9 and 0.6, respectively.

"Sweeping data breaches under the carpet has become a very high-risk strategy under GDPR,"  the DLA Piper researchers concluded.



Suggested Articles

China Mobile Hong Kong will use its relocated Hong Kong Open Lab to stimulate the adoption of 5G and the development of 5G applications

Hong Kong based payment and cryptocurrency platform provider Crypto.com has added a regulated stablecoin developed by US-based Paxos to its platform

McAfee antivirus users have joined those of Sophos and Avast in complaining about Windows Update breaking their systems