- European regulators have logged more than 59,000 personal data breach notifications since the enactment of GDPR last May, according to a survey by the DLA Piper cybersecurity team. The incidents range from emails sent to the wrong person to cyberattacks that impact millions.
- The Netherlands, Germany and United Kingdom reported the most data breaches with 15,400, 12,600 and 10,600, respectively. The Netherlands took a double whammy with the highest number of breaches and the highest rate of reported breaches per capita (89.8 per 100,000 people); Ireland and Denmark took second and third spots with 74.9 and 53.2, respectively.
- The law firm found that regulators have handed down 91 fines under GDPR, though not all related to data breaches. Outside of the largest fine — $57 million for Google — two fines in Germany reached into the tens of thousands of dollars for an employer who didn't hash passwords and suffered a breach and for improper publishing of health data online; the rest of the fines were relatively low at several thousand dollars.
Regulators have been backlogged by a wave of consumers and interest groups filing complaints in addition to companies reporting data breaches. Understaffed and underresourced, their ability to address every event in a timely fashion is likely limited.
The high numbers show that GDPR is having a positive impact on companies' approaches to data protection, breach detection and transparency with regulators and customers, Jean-Michel Franco, senior director of data governance products at Talend, said in a statement to CIO Dive.
"You cannot improve what you cannot measure, and you put even more energy and resources to improve when the related measurement becomes red flag and has to be shared to a wide range of people," he said.
Industry leaders were waiting for the first major GDPR fine until France's data protection body CNIL imposed the multimillion dollar fine on Google last month for its information and consent practices around mobile device configuration. Google said it will appeal the fine.
While $57 million is a monumental sum the fine was nowhere near the maximum penalties regulators could have placed on Google given the size of its global annual revenue.
GDPR's breach notification requirements are important, but there is a misconception that the core of the regulation is about protection against data breaches, Franco said. The Google fine, the largest to date, and other actions from privacy associations demonstrate that consent management or rights for data access are also of top concern.
Breaches were highest among some of Europe's top economic powerhouses. Germany and the United Kingdom account for more data breaches than the remaining 23 countries with data reported combined; most countries (17) reported fewer than 1,000 data breaches.
But high saturation was limited to a handful of nations, with 14 countries coming in with a per capita impact of less than 10 people per 100,000. A lower per capita impact does not equate to low impact, however.
Editor's note: Jean-Michel Franco's comments on top concerns for data privacy have been updated for clarity.