More than 59,000 data breaches have been reported to regulators across Europe since GDPR came into force last May, with the UK in the top three – behind Netherlands and Germany – when it comes the most reported breaches.
According to DLA Piper’s GDPR Data Breach survey, the Netherlands topped the table with 15,400, Germany was second with 12,600 and the UK was third on 10,600. The lowest total in Europe was Liechtenstein on 15. To put this into context, this is equivalent to 1 reported breach for every 1,105 people in the Netherlands, 1 breach per 6,587 people in Germany, 1 reported breach for every 6,266 Brits and 1 reported breach for every 2,520 people in Liechtenstein.
The breaches, which range from minor errors such as missent emails to major cyber hacks, were reported by public and private organisations in the 26 European countries where data is available.
The latest survey exceeds figures released last month by the European Commission, which stated 41,502 breaches had been reported over the same period.
DLA Piper partner Ross McKean said: “GDPR completely changes the compliance risk for organisations which suffer a personal data breach due to revenue based fines and the potential for US-style group litigation claims for compensation.
“As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, GDPR is driving personal data breach out into the open.”
So far 91 fines have been handed down relating to data breaches, although the French data regulator’s €50m (£44m) penalty for Google was the highest to date. The company has already said it will appeal against the ruling.
DLA Piper partner Sam Millar added: “The regulators have already started to flex their muscles but the fine against Google is a landmark moment and is notable partly because it is not related to a personal data breach.
“We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.”