Are GDPR data breaches actually happening?

We haven’t seen many breaches hitting the headlines, but data from the EU suggests they are certainly happening.
7 February 2019

Sundar Pichai, CEO of Google, which recently received a landmark GDPR fine. Source: Shutterstock

In light of the hysteria leading up to it, fallout since the implementation of the EU’s GDPR (General Data Protection Regulation) has been relatively low-key— well, save for Google’s €50 million (US$ 57 million) fine last month perhaps.

But while the headlines remain largely ‘fine-free’— oh, let’s also not forget hotel chain Marriott is facing a fine of up to €20 million (US$ 23 million) for exposing the data of about 500 million guests— it’s not to say that breaches aren’t happening more often than we think, if at a smaller scale.

At the end of January, the European Commission reported that EU data protection regulators had received 41,502 data breach notifications required by GDPR-compliant companies by law. But even that might not be the full scale of it, with that figure comprising voluntary data supplied by only 21 member states.

According to research by law firm DLA Piper, European data protection authorities may have received more than 59,000 data breach reports since GDPR came into effect in May last year, with certain markets bigger infringers (on paper, at least) than others.

“Based on our own research covering 23 of the 28 EU member states, together with figures for Norway, Iceland and Liechtenstein – the three additional European Economic Area member states – we calculate that there have been 59,430 reported data breaches over the same period across Europe,” DLA Piper said the report.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.”

Weighted on population, the Netherlands logged the most data breach reports per capita followed by Ireland and Denmark. The UK, Germany, and France ranked tenth, eleventh and 21st respectively, with Greece, Italy, and Romania reporting the lowest breaches compared to population size.

However, the report notes that findings can be skewed by international companies logging their reports in just one market, where their headquarters lie. Tech giants such as Facebook, Microsoft, and Twitter, for example, hold European headquarters in Dublin— all data breaches will be logged from Ireland.

DLA Piper also notes that per capita rankings also reveal some potential cultural indicators around breach reporting: “In particular, Italy has so far had very few breach notifications relative to its large population, which illustrates that notification practice and culture varies significantly among member states.”

While the numbers in the report do not necessarily mean there are more breaches happening, it serves as an indication of the scale of the issue and a reminder to businesses of all sizes of the importance of data security.

Any organization that violates privacy regulations faces fines of up to 4 percent of their annual global revenue or €20 million (US$22.7 million)— whichever is greater— as well as potential other sanctions, such as losing their right to process personal data.

Meanwhile, those companies that fail to report personal data breaches face a separate fine of €10 million (US$11.3 million) or 2 percent of annual global revenue.

According to DLA Piper, 91 fines have been imposed by EU regulators for GDPR infringements so far. But the European Commission says fines are not supposed to punitive— if businesses are seen to have taken the right steps— or sought the right help— following a breach, they’re unlikely to face a penalty.

A recent IT Governance report claimed that less than a third of organizations (29 percent) were fully compliant with GDPR, even after the deadline had passed.

While fines may be few and far between, though, firms collecting, storing and processing personal data should take the high-profile cases of Google and Marriott as a timely reminder to ensure their current cybersecurity measures and compliance levels are airtight.