The number of data breaches notified under GDPR has exceeded 160,000 since May 2018, totalling €114m in fines.
Since GDPR came into force in May 2018, the number of reported data breaches has increased and it has made the Irish Data Protection Commission (DPC) one of the busiest regulators in Europe per capita. According to a new report published by law firm DLA Piper, more than 160,000 data breach notifications have been issued under GDPR, seeing a total of €114m issued in fines.
France, Germany and Austria topped the rankings for the total value of GDPR fines imposed, with just over €51m, €24.5m and €18m, respectively. Meanwhile, the Netherlands, Germany and the UK were the most active reporters to their regulators, with 40,647, 37,636 and 22,181 notifications, respectively.
However, when it came to the number of breaches reported per capita, Ireland had the second highest rate in Europe, with 132.5 breaches per 100,000 people since January 2019. This is up from 74.9 breaches per 100,000 people in last year’s report.
Differences in reporting
In overall reporting, Ireland was ranked fourth in Europe, with 10,516 reports between May 2018 and January 2020, including 6,716 from last year alone. By comparison, the Netherlands had the highest number of breaches, at 40,647 since GDPR came into force, and is also the nation with the highest breaches per capita at 147.2 per 100,000 people.
Ireland is also one of several nations in Europe that has not imposed GDPR fines. The highest fine imposed to date was €50m, which the French data protection regulator demanded from Google, alleging infringements of transparency rather than a data breach.
DLA Piper noted that elsewhere across Europe, the lowest number of reported breaches were in Italy, Romania and Greece. However, it said the fact that only 1,886 breaches were reported in Italy – a nation of around 60m people – suggested “cultural differences” in the approach to breach notifications.
DLA Piper partner Ross McKean said that GDPR has pushed the issue of data breaches “well and truly into the open”.
“The rate of breach notification has increased by over 12pc compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations,” he said.
“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”