The EU’s GDPR regulation appears to be encouraging data breach reports with almost 60,000 reports being filed since the privacy law came into force on the 25 May, 2018.
According to multinational law firm DLA Piper’s GDPR Data Breach Survey, the data breaches ranged in severity from minor breaches to major cyber-attacks affecting millions of people.
Breaches were reported in all the 26 countries analysed, however the Netherlands, Germany and UK were responsible for the majority of breach notifications with 15,400, 12,600 and 10,600 disclosures, respectively.
Italy, Greece and Romania had the lowest per capita rate of breach reports suggesting varying levels of reporting and compliance.
Ross McKean, partner at DLA Piper, said: “The GDPR completely changes the compliance risk for organisations which suffer a personal data breach due to revenue based fines and the potential for US-style group litigation claims for compensation.
“As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breaches out into the open.”
The Survey also revealed that since May last year, 91 fines have been issued for GDPR violations but not all were related to exposure of personal data. The €50 million fine issued by the French data protection commission (CNIL) to Google emerged as the largest fine issued so far. The company had been held to account for processing personal data for advertising purposes without obtaining the permission required under GDPR.
The GDPR imposes strict measures for the protection of data and organisations found in breach of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros. Fines depend on the severity of the breach and if organisations have taken steps to show they are compliant.
The report stated that: “Regulators are stretched and have a large backlog of notified breaches in their inboxes. Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organisations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”