LONDON – There have been 59,000 reported data breach notifications under Europe’s General Data Protection Regulation (GDPR) since it came into force on May 25th, 2018. The UK had one of the highest numbers of breaches, according to a new report by law firm DLA Piper.
Netherlands, Germany UK Worst Offenders
The report found that the highest number of reported breaches were in The Netherlands (15,400), Germany (12,600) and the UK (10,600). The Netherlands also topped the list of reported breaches when the results were weighted by population. It recorded 89.8 breaches per 100,000 people. Greece, Italy, and Romania had the fewest reported breaches on a per capita basis.
The report analyzed data from the 26 European Economic Area (EEA) countries where it was publicly available. This EEA includes the 28 Member States of the European Union (including the UK at the time of this writing,) as well as Norway, Iceland and Liechtenstein.
DLA Piper Partner Ros McKean said: “The GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation. As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open.”
Record Fine for Google
The DLA Piper report detailed 91 fines issued under GDPR. The largest was the €50 million ($57 million) one issued against Google on January 21st, 2019 by the French authorities. This related to the processing of personal data for advertising, not a breach. Other fines also related to other GDPR transgressions, not personal data breaches.
Sam Millar, another DLA Piper Partner, said: “The regulators have already started to flex their muscles with 91 GDPR fines imposed to date but the fine against Google is a landmark moment and is notable partly because it is not related to personal data breach.
Apple CEO Tim Cook has repeatedly called for the U.S. to introduce federal legislation similar to GDPR. Speaking in Brussels in October 2018 he warned against the rise of the “data industrial complex.”