Over 59,000 data breaches stretch GDPR watchdogs

The European Union's General Data Protection Regulation (GDPR) has led to tens of thousands of data breaches being reported in the first eight months since the strict privacy laws came into effect, causing a large backlog of work for regulators.

Global law firm DLA Piper says in its analysis [pdf] of the effects of GDPR across Europe, that over 59,000 data breaches were reported to EU regulators since May last year.

They range from minor incidents such as email messages being sent to wrong recipients, to major hacks that affect millions of individuals.

As a result of the mandatory reports, DLA Piper says "regulators are stretched and have a large backlog of notified breaches in their inboxes."

The large number of notifications show that many organisations are heeding the new rules, partly because of severe sanctions that GDPR brought in.

These include very large fines of up to €10 million (A$15.8 million) or up to two percent of a company's annual worldwide turnover in the preceding financial year, which is likely to include consolidated group revenues DLA Piper believes.

"Sweeping data breaches under the carpet has become a very high risk strategy under the GDPR," DLA Piper said.

Even so, only 91 GDPR fines have been issued so far, most of which have been in the tens of thousands of euros, such as the €80,000 penalty imposed by the German data protection authority in January this year, for a leak of health information onto the internet.

One exception is the €50 million fine handed out to Google by France's data protection watchdog CNIL last month.

DLA Piper expects large fines in the tens or even hundreds of millions of euro will be imposed this year as regulators work through their backlogs of GDPR notifications.

"It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so.

Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion euro fines recently on large tech companies," the law firm said.

Netherlands had the most reported data breaches, 15,400, followed by Germany (12,600), United Kingdom (10,600) and Ireland (3,800).

DLA Piper noted that some countries - Slovakia, Bulgaria, Croatia, Estonia and Lithuania - do not make breach notifications statistics publicly available. Other countries only provide data for part of the May 2018 - January 2019 period so DLA Piper had to extrapolate the information to cover the full eight months. 

Some breaches could also pre-date GDPR, the law firm said.