More fines expected to be handed out in 2019, as regulators deal with breach backlog
More than 59,000 data breaches have been reported across Europe in the eight months since the GDPR legislation was introduced, a study claims.
GDPR – General Data Protection Regulation – came into force on May 25, 2018, setting out new rules on how businesses, organizations, and governments can collect and handle data.
Eight months on, new statistics from a UK law firm have suggested that 59,430 breaches have been reported in the time since the regulation was adopted.
The survey, conducted by DLA Piper, looked at breach reports from 23 of the 28 EU Member States from the period of May 25, 2018, to January 28, 2019.
Of the results, the Netherlands was found to have reported the most breaches (15,400), followed by Germany (12,600), and the UK (10,600).
The countries with the fewest reported breaches were Cyprus (35), Iceland (25), and Liechtenstein (15).
GDPR requires data controllers to report breaches within 72 hours of discovery.
It also rules that the data protection body in said EU country can hand up fines of up to 4% of global annual turnover.
It was noted that some of the notifications included in the study – 9% – relate to breaches predating GDPR, when a different set of standards was in place.
DLA Piper, therefore, claims that these statistics are “best approximations”.
The study read: “It is still very early days for GDPR enforcement with only a handful of fines reported across the EU.
“With the exception of the recent €50 million fine imposed on Google, so far the level of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose.
“However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications.”
The most notable GDPR violations so far include Google, which was indeed fined €50 million by French regulator CNIL for violations.
The tech giant is also facing possible penalties by the UK’s Information Commissioner’s Office after the search engine giant was accused of ‘forcing’ users to consent to data collection.