The Netherlands has seen the most GDPR breach notifications reported to the regulator, but the spread of activity, or inactivity in some nations, is quite remarkable.
In the eight months since GDPR was officially written into European regulations, law firm DLA Piper has said regulators have been alerted to breaches more than 59,000 times. The Netherlands, Germany and the UK have seen the biggest numbers of notifications, with 15,400, 12,600 and 10,600 respectively, though the new privacy status quo has not been embraced with such enthusiasm everywhere.
“GDPR has driven the issue of data breach well and truly into the open,” said Ross McKean, a partner at DLA Piper, “The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”
The scale and depth of these breaches vary considerably, a mis-sent email there and a cybersecurity hack here, but the number does represent a significant shift in the tides; data breaches are now being taken seriously, or at least in some nations.
As you can see from the table below, we have selected the ten largest economies across the bloc, the variance is quite interesting.
|Nation||Breaches in total||Breaches per 100,00 people|
There might be a few reasons for increased number of notifications in certain countries, allowing for the presence of different industries. For example, Ireland has the 4th largest number of notifications to the data watchdog (c.3,800) but the 20th smallest population (out of 28). This is also a country where the economy and society is dominated by the presence of the technology sector.
This will explain some of the variance on figures, but not completely. Take Italy for example. This is the 4th largest economy across the bloc, but in the eight months since May 25 when GDPR was introduced, the regulator was only notified of 610 data breaches. There are two explanations for such a low figure:
- Italian businesses have some of most advanced data protection policies and mechanisms worldwide
- The culture of owning mistakes and reporting data protection and privacy inadequacies is almost non-existent in the country
We have made the Italians the centre of this point, but there are quite a few who would fall into this category of (a) squeaky clean or (b) don’t care about GDPR. Spain has 670 breach notifications to the regulator, Belgium 420, Greece 70, Cyprus 35 and Liechtenstein 15.
Although GDPR has certainly made promising sets forward in forcing a more privacy orientated society and economy, the issues will continue to persist unless the same stringent attitudes are adopted across the board. Such is the fluidity and borderless nature of the digital economy, a weak link in the chain can cause disruption. All economies are interlinked, make no doubt about that.
Interestingly enough, momentum will gather as the digital economy becomes more complex. Security and data protection are still not high enough priorities on the corporate agenda, although trends are heading the right direction. Breaches will still continue to occur, and fines will start to get very large.
GDPR violations carry a maximum penalty of €20 million or 3% of annual revenues. These numbers can be reduced if the breach is reportedly in a timely manner and the company is helpful. However, fines to date have not been to this magnitude largely because the incidents occurred prior to the introduction of GDPR. Any breach which occurred after May 25 will be met with a much sharper stick than previously.
For example, Equifax is a company which collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Hundreds of millions of customers and consumers were impacted by the Equifax data breach of 2017, though the maximum fine which could be imposed by the UK’s Information Commissioner’s Office (ICO) was £500,000. Under GDPR, Equifax would have been fined £20 million.
GDPR took Europe into the 21st century when it comes to data protection and privacy. It forced companies and regulators to take a more stringent approach to the security of personal and corporate information. Despite the pain everyone had to endure to be GDPR-compliant, it should only be viewed as a good thing.
Data breaches are almost certainly going to continue, but one thing you can guarantee is the numbers are going to be getting a lot bigger.