Over 59,000 GDPR data breach notifications, but only 91 fines

Credit: Dreamstime

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organisations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

According to a new report by multinational law firm DLA Piper, the European Commission’s official statistics show 41,502 data breach notifications between 25 May 2018, and 28 January 2019 (Data Protection Day).

However, this only covered 21 of the 28 EU member states and didn’t include countries like Norway, Iceland and Lichtenstein, which are not EU members but are part of the European Economic Area (EEA) and are subject to the same regulation.

DLA Piper’s own analysis has counted 59,430 disclosed data breaches across Europe over the same period, with the Netherlands, Germany and the United Kingdom leading by far in the number of reports.

Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.

GDPR requires organisations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches.

It also mandates strict security measures for protecting data and fines for violations that can go up to of up to €10 million or two per cent of the worldwide annual turnover.

During the analysed time period, regulators have imposed 91 fines for GDPR violations, but not all of them were related to exposure of personal data, according to DLA Piper’s report.

For example, the highest one was a recent €50 million fine imposed by the French data protection authority (CNIL) on Google for processing personal data for advertising purposes without obtaining the permission required under GDPR.