According to new data from global firm DLA Piper, breach notifications under the GDPR are trending upwards.
In its “GDPR Data Breach Survey: January 2020”, DLA found that for the period between 28 January 2019 and 27 January 2020, there were 278 breach notifications per day on average across the European Economic Area, which covers all 28 member states of the European Union.
That amounted to a 12.6 per cent increase from the period from 25 May 2018 to 27 January 2019, which had an average of 247 breach notifications per day.
Details of breaches notified are not made public as a default, DLA wrote, but it is likely, it posited, that a “wide spectrum of data breaches have been notified from fairly minor errant emails mistakenly sent to the wrong address to the most serious criminal cyber-attacks affecting millions of individual records”.
The Netherlands, Germany and UK had the most data breaches notified for 20 months from 25 May 2018 to 27 January 2020, DLA found.
“When the results are weighted to take into account country population, The Netherlands retains its top ranking with the most breaches notified per 100,000 capita. Ireland and Denmark also retain their second and third rankings in the breaches per 100,000 capita table,” it said.
Some notable GDPR fines have been imposed over the last year for a wide range of GDPR infringements, not just relating to data breaches, the firm mused, but added that “with some notable headline-grabbing exceptions, relatively few fines have been imposed under the new GDPR regime”.
“Not all GDPR fines are made public. The total (reported) fines for the full 20-month period across all countries surveyed [were] just over €114 million (about US$126 million/£97 million) which is quite low given that supervisory authorities enjoy the power to fine up to 4 per cent of total worldwide annual turnover of the preceding financial year. France, Germany and Austria top the table for the total value of GDPR fines imposed to date with €51 million, €24.5 million and €18 million respectively,” it wrote.
Moreover, the firm continued, there is some confusion as to what constitutes a notifiable breach.
“Many organisations and indeed many supervisory authorities are struggling with how to determine when a breach is or is not notifiable given the vagaries of the legal trigger for notification – where there is ‘a risk’ to the rights and freedoms of natural persons,” it said.
“Neither term is defined in the GDPR. Some guidance is available, however, the guidance is high level and open to wide interpretation. Further guidance would be welcomed both by organisations reporting breaches and supervisory authorities assessing breaches in order to drive consistency and best practice for risk assessment.”
A consistent approach, DLA concluded, would also help supervisory authorities across the EU to triage and identify the most serious personal data breaches more quickly.