Public and private organisations across Europe reported over 59,000 incidents of data breach since the arrival of GDPR with over 10,000 of such incidents reported by UK-based organisations, research has revealed.
According to law firm DLA Piper's GDPR Data Breach survey, organisations based in the Netherlands and Germany reported more incidents of data breach (15,400 and 12,600 respectively) than those in the UK (10,600) but UK-based organisations fared much better in terms of breaches per capita, ranking tenth among European countries.
"The GDPR completely changes the compliance risk for organisations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation," said Ross McKean, a partner at DLA Piper.
"As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open. Our report confirms this with more than 59,000 data breaches notified across Europe in the first 8 months since the GDPR came into force," he added.
EU watchdogs issued 91 fines for GDPR violations
The GDPR Data Breach Survey also revealed that since May last year, governments across Europe issued fines in 91 cases to organisations that suffered breaches or violated various provisions of GDPR, with the €50 million fine issued by the French data protection commission (CNIL) to Google in January this year emerging as the largest fine issued so far.
"The regulators have already started to flex their muscles with 91 GDPR fines imposed to date but the fine against Google is a landmark moment and is notable partly because it is not related to personal data breach," said Sam Millar, a partner at DLA Piper.
"We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications," he added.
Commenting on DLA Piper's findings, Brian Vecci, Field CTO at Varonis, said that this goes to show that breaches have been happening at an increasing rate and it took stricter notification laws to make sure the public is made aware.
"On the face of it, it sounds like the GDPR is working as designed. The new report throws open the curtain and sheds light on the true state of data security – and it’s not a pretty picture. When personal data is exposed, no matter how insignificant, it’s important that individuals know about it.
"The bigger question is: are organisations are working to make these kinds of issues less likely? Can they quickly detect these kinds of incidents and how long is it taking to investigate them? One important point is that incidents have to be reported even if they’re inconclusive. Many incidents may not result in actual exposure but because so much data goes unmonitored, it’s impossible to prove that it was kept private," he added.