According DLA Piper law frim, Eight months after the EU’s General Data Protection Regulation came into full effect, European data protection authorities have received more than 59,000 data breach reports.
Since May 25, 2018 the firm has analyzed data breach reports that have been filed by 23 of the 28 EU member states since GDPR came into full force.
GDPR Data Breach Notifications – to Jan. 28, 2019
Last month the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications. Some of the reported breaches also took place before GDPR came into effect, meaning old data protection laws apply.
DLA Piper found that the Netherlands logged the most data breach reports per capita, followed by Ireland and Denmark. The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita.
Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a “one-stop shop” mechanism. This allows organizations that have a presence across several EU member nations to be subject to regulatory oversight by just one supervisory authority, alternatively than being subject to regulation by the supervisory authorities of each nation in which they have a business presence.
For example, many U.S. technology companies such as Facebook, Microsoft, Twitter, and soon Google – have their European headquarters in Ireland, and thus will report all data breaches to Ireland’s DPA.
According to DLA Piper, the per capita weightings also reveal some red flags, including potentially differing cultural norms around breach reporting. ”
Breach Count Increases
In December 2018, Information Security Media Group revealed that the number of data breach reports filed since GDPR went into effect had hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.
The latest EU data breach notification count does not necessarily mean that more breaches are occurring now than before GDPR went into effect, when few breaches had to be reported.on data breaches.
In the U.S., the Identity Theft Resource Center found that in 2018, the overall number of data breaches reported by organizations to state regulators and affected consumers declined from 2017. Many breached organizations do not disclose exactly what types of data was exposed. But for the organizations that did so, the ITRC found that compared to 2017, breaches in 2018 exposed many more records containing data that state laws define as being sensitive, which includes payment card data, Social Security numbers, dates of birth and medical diagnoses
Notably, however, state laws don’t treat email addresses, usernames or passwords as sensitive, meaning their exposure alone typically would not require an organization to issue a data breach notification.
Do the Right Thing – Or Else
GDPR, however, is much more stringent, and any organization worldwide that violates the privacy regulation faces fines of up to 4 percent of their annual global revenue or $22.7 million – whichever is greater – as well as other potential sanctions. Organizations that fail to comply with GDPR’s reporting requirements can also face fines of up to $11.3 million or 2 percent of annual global revenue.
European privacy regulators say GDPR is not meant to be vindictive. There is a 72-hour deadline for organizations to alert authorities in the case of some types of breaches, then regulators can step in and help.
On the other hand, however, the U.K.’s data protection authority, the Information Commissioner’s Office, says that it wants to see specific details of what happened and the likely impact in the 72-hour window, rather than hearing that the breached organization is still struggling to muster a response.
91 GDPR Fines and Counting
EU regulators have been issuing GDPR fines. “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper says. “Not all of the fines imposed relate to personal data breach.”
For example, the largest fine to date $57 million against Google by France’s CNIL data protection authority – did not relate to a data breach, but rather the processing of personal data without authorization .
Germany accounts for 64 of the GDPR fines that have been leveled so far, including the two largest fines to result from a data breach. Last November, the German Data Protection Authority in the state of Baden-Württemberg, known as the LfDI, fined German chat firm platform “Cuddles” $22,700 for failing to hash stored passwords.
According to an advisory notice from LfDI, by storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data.
DLA Piper states that many data protection authorities have a big backlog of data breach reports; therefore, many breached organizations are still waiting to hear if they will face fines
Several organizations are continuing to try to come to grips with GDPR, and regulators are continuing to issue new guidance. To date, its not yet clear if organizations can take out cyber insurance to help mitigate their risk of having to pay non-criminal GDPR fines in the event of a data breach.
Business Upsides to Compliance
The impetus for GDPR remains to safeguard Europeans’ privacy rights. Furthermore, not all organizations that handle Europeans’ personal data fully comply with GDPR.
Complying with GDPR isn’t a silver bullet for avoiding all breaches, although it can help. Certainly, organizations that comply with GDPR report multiple upsides,.