Report: Over 59,000 GDPR data breach notifications, but only 91 fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

According to a new report by multinational law firm DLA Piper, the European Commission’s official statistics show 41,502 data breach notifications between May 25, 2018, and January 28, 2019 (Data Protection Day). However, this only covered 21 of the 28 EU member states and didn’t include countries like Norway, Iceland and Lichtenstein, which are not EU members but are part of the European Economic Area (EEA) and are subject to the same regulation.

DLA Piper’s own analysis has counted 59,430 disclosed data breaches across Europe over the same period, with the Netherlands, Germany and the United Kingdom leading by far in the number of reports. Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.

GDPR requires organizations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches. It also mandates strict security measures for protecting data and fines for violations that can go up to of up to €10 million or 2 percent of the worldwide annual turnover.

GDPR fines

During the analyzed time period, regulators have imposed 91 fines for GDPR violations, but not all of them were related to exposure of personal data, according to DLA Piper’s report. For example, the highest one was a recent €50 million fine imposed by the French data protection authority (CNIL) on Google for processing personal data for advertising purposes without obtaining the permission required under GDPR.

In Germany, the regulators imposed a €20,000 fine on a company for failing to protect employee passwords with cryptographic hashes, while in Austria a €4,800 fine was issued for operating an unauthorized CCTV system that partially surveilled a public sidewalk.

Backlog stretching GDPR regulator resources

The number of fines and their value, excluding the one against Google, have been low so far compared to the number of disclosed breaches, but this might because regulators in some countries are still accommodating themselves to the increased supervision and coordination roles they now play.

“Regulators are stretched and have a large backlog of notified breaches in their inboxes,” the DLA Piper researchers said in their report. “Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”

Data suggests that under the risk of high sanctions, many companies have prepared themselves to comply with GDPR’s breach notification requirements. However, significant discrepancies can still be observed among different countries and cultures.

For example, when correlating the number of data breach notifications to population size, the Netherlands, Ireland and Denmark come in top three positions, while Germany and the UK fall to tenth and eleventh. Romania, Italy and Greece have the smallest ratio of data breach notifications per 100,000 people, with 1.2, 0.9 and 0.6, respectively.

“Sweeping data breaches under the carpet has become a very high-risk strategy under GDPR,”  the DLA Piper researchers concluded.