According to a recently published report by multinational law firm DLA Piper, eight months after the implementation of the GDPR, regulators have received more than 59,000 personal data breaches.
While the European Commission’s official statistics show 41,502 data breach notifications between 25 May 2018 and 28 January 2019, this didn’t cover all 28 EU member states and also excluded countries like Norway, Iceland and Lichtenstein, which are not EU members but are part of the European Economic Area (EEA) and are also subject to the GDPR.
DLA estimated that over the same period there were 59,430 disclosed data breaches across Europe. Results also show that the Netherlands (15,400), Germany (12,600) and the UK (10,600) are the leading counties by number of reports. On the other hand, the previously mentioned Iceland (25) and Lichtenstein (15) along with Cyprus (35) were the countries with the least number of reported breaches.
These numbers greatly outweigh the number of actual fines imposed by regulators. Most of the larger fines imposed last year were the result of breaches that occurred in the pre-GDPR period. Only 91 of the reported breaches have had fines imposed under the new GDPR regime, though not all of these have been related to personal data exposure. The fines have ranged in value and severity, but to date, the highest one (€50 million) issued was against Google by the French National Data Protection Commission (CNIL) for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The amount of notifications that regulators receive exceeds their capacity to investigate all incoming cases. This has resulted in them stretching their efforts and a large backlog of unresolved breach notifications. They have prioritised the more high-profile cases and thus many other organisations are still waiting to hear if any action will be taken against them.