Report: Over 59,000 GDPR data breach notifications, but only 91 fines


Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

According to a new report by multinational law firm DLA Piper, the European Commission’s official statistics show 41,502 data breach notifications between May 25, 2018, and January 28, 2019 (Data Protection Day). However, this only covered 21 of the 28 EU member states and didn’t include countries like Norway, Iceland and Lichtenstein, which are not EU members but are part of the European Economic Area (EEA) and are subject to the same regulation.

DLA Piper’s own analysis has counted 59,430 disclosed data breaches across Europe over the same period, with the Netherlands, Germany and the United Kingdom leading by far in the number of reports. Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10,600 disclosures, respectively.

GDPR requires organizations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches. It also mandates strict security measures for protecting data and fines for violations that can go up to of up to €10 million or 2 percent of the worldwide annual turnover.

GDPR fines

During the analyzed time period, regulators have imposed 91 fines for GDPR violations, but not all of them were related to exposure of personal data, according to DLA Piper’s report. For example, the highest one was a recent €50 million fine imposed by the French data protection authority (CNIL) on Google for processing personal data for advertising purposes without obtaining the permission required under GDPR.

In Germany, the regulators imposed a €20,000 fine on a company for failing to protect employee passwords with cryptographic hashes, while in Austria a €4,800 fine was issued for operating an unauthorized CCTV system that partially surveilled a public sidewalk.

Report: Over 59,000 GDPR data breach notifications, but only 91 fines