EU suffers 60,000 data breaches in last 8 months
Netherlands, Germany and UK top rankings for the number of breach notificationsValentina Spiridonova
The EU’s GDPR regulation and its attached fines appears to be encouraging data breach reports, fundamentally changing the risk profile for organisations suffering a cyber attack, a new study shows. According to the research from DLA Piper over 59,000 data breach notifications have been reported to regulators throughout the EU since GDPR went into effect on 25th May 2018 - far more than figures previously released by the European Commission show. And even though data breaches are showing no signs of slowing, the number of fines imposed lag far behind.
According to the law firm's new GDPR Data Breach survey, the data breaches ranged from ‘minor’ errors,such as errant emails sent to the wrong recipient, to major cyber attacks, and were reported across public and private organisations across the 26 European Economic Area countries. As data shows, the UK is one of the top three countries with the highest number of data breaches reported - more precisely 10,600. It is however the Netherlands that came in first with 15,400 breaches followed by Germany with 12,600. When the number of breach notifications was weighted against country populations, the Netherlands still topped the table, with 89.8 reported breaches per 100,000 people, but was followed by Ireland and Denmark this time. On a brighter note, Liechtenstein, Iceland and Cyprus experienced the lowest number of reported breaches with 15, 25, and 35 breaches respectively.
"The GDPR completely changes the compliance risk for organisations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation. As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open," Ross McKean, a partner at DLA Piper states.
Yet, since GDPR went into effect, only 91 fines have been reported but not all of these relate to personal data breaches as several regard other infringements of the EU's data protection laws. Of the companies fined under GDPR, Google was hit the most heavily when the French regulator CNIL fined the search giant €50m over how it personalised the ads shown on its site.
"With the exception of the recent €50m fine imposed on Google, so far the level of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose. However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications," the report states.
“Regulators are stretched and have a large backlog of notified breaches in their inboxes. Inevitably the larger headline-grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified,” Sam Millar, a partner at DLA Piper specialising in cyber and large scale investigations commented on the matter.
As Europost reminds, under the EU General Data Protection Regulation - GDPR - personal data breaches which are likely to result in a risk of harm to affected individuals must be notified to data regulators. Where the breach is likely to result in a high risk of harm, affected individuals must also be notified. Sanctions for failing to comply with the new notification requirements include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.