NEWS24 January 2020

160,000 data breaches reported under GDPR

Europe GDPR News Privacy UK

EUROPE – Over 22,000 personal data breaches have been reported in the UK under the General Data Protection Regulation (GDPR) to date, with 160,000 reports across Europe as a whole.

Data EU privacy GDPR_crop

Since GDPR was implemented in May 2018, the UK has had the third-largest volume of reported data breaches in the European Economic Area (EEA), after the Netherlands and Germany, according to research published by law firm DLA Piper.

When weighted by country population, The Netherlands had the most breaches notified per 100,000 capita, followed by Ireland and Denmark.

There were 22,181 personal data breach notifications in the UK between 25th May 2018 and 27th January 2020. In the Netherlands, there were 40,647, while Germany had 37,636.

There has been a 12.6% increase in the average number of data breach notifications per day ( 278 between January 2019 and 2020, compared to 247 between May 2019 and January 2019 ).

According to the report, data protection regulators across the EEA have issued a total of €114m in fines under GDPR for various infringements, not just data breaches, with France, Germany and Austria topping the rankings in terms of the value of fines imposed.

In the UK, the Information Commissioner’s Office (ICO) has only issued one fine under GDPR to date – £275,000 levied on a London pharmacy in December 2019. The regulator’s notices of intent to fine both British Airways and Marriott under GDPR, issued in July 2019, were not included in DLA Piper’s report as neither had been finalised.

Ross McKean, partner at DLA Piper, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations”.

However, there is still a lack of consensus across Europe over how GDPR fines should be calculated, according to the research.

Patrick Van Eecke, chair of DLA Piper’s international data protection practice, said: “The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years”.