Since the European Union’s General Data Protection Regulation (GDPR) came into effect last May, EU organizations have reported almost 60,000 data breaches, but so far only 91 have been issued by regulators. A DLA Piper report speculates the reason behind the low number of fines in comparison to the massive volume of reported data breaches is due to over-extended regulators.
DLA Piper’s own analysis found 59,430 disclosed data breaches across Europe, with the Netherlands, Germany and the United Kingdom having the highest numbers of reported breaches. Together, these countries are responsible for nearly two-thirds of data breach notifications, with 15,400, 12,600 and 10600 disclosures, respectively.
GDPR requires organizations to report the exposure of personal data to national data protection regulators and to the affected individuals within 72 hours after they become aware of such breaches. It also mandates strict security measures for protecting data and fines for violations that can go up to USD $11 million or two percent of the worldwide annual turnover. However, of the 91 fines, not all were related to exposure of personal data. For example, the highest fine was for USD $57 million imposed by the French data protection authority on tech giant, Google for processing personal data for advertising purposes without obtaining permission required under the GDPR.
Experts say regulators are still accommodating themselves to the increased supervision and coordination roles they now play. Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.
Data suggests that under the risk of high sanctions, many companies have prepared themselves to comply with the GDPR’s breach notification requirements. However, significant discrepancies can still be observed among different countries and cultures.
“Sweeping data breaches under the carpet has become a very high-risk strategy under GDPR,” the DLA researchers conclude.