The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Almost 60,000 Post-GDPR Data Breaches Reported in Europe

by Chris Brook on Wednesday February 6, 2019

Contact Us
Free Demo
Chat

Research published this week suggests there have been over 59,000 data breaches reported to data protection authorities in Europe since GDPR went into effect last year.

The EU’s General Data Protection Regulation hasn’t even been in effect for a year yet but countries in Europe have already reported over 59,000 data breaches since the data privacy law’s inception.

That's according to DLA Piper, a multinational law firm that's based in London but has nearly 40 offices in Europe.

According to a survey carried out by the law firm and released this week, countries like the Netherlands, Germany, there have been 59,430 breaches across Europe in the last eight months; the U.K. toppled the scales at 15,400, 12,600, and 10,600 breaches apiece.

The Netherlands also had the most breaches per capita, followed by Ireland and Denmark while countries like Greece, Italy, and Romania had the fewest per capita.

The report specifically looked at breaches reported to regulators from May 25, the day GDPR went into effect, and January 28 - International Data Protection Day - the holiday held to raise awareness around privacy and data protection best practices.

Far flung countries, like Iceland and Cyprus, along with tiny Liechtenstein, Europe's fourth smallest country (after Vatican City, Monace, and San Marino) had the fewest breaches: 25, 35, and 15 respectively.

Only a fraction of those breaches actually resulted in fines however. The report claims there have been 91 fines imposed since GDPR went into effect, the largest coming in December when Germany’s State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) levied a €20,000 fine against a social media company for failing to hash passwords. Instead the company stored them in plain text, something that ultimately triggered a fine after a hacker managed to make off with 330,000 passwords and e-mail addresses.

DLA Piper makes a point in the report to explain why its numbers don’t exactly match up with those published by the European Commission (.PDF) last month. In a statement released by the European Commission on January 25 it said there have been 41,502 data breaches reported since May 25. The lawfirm contends that these results only take into account voluntary contributions of 21, not all 28, EU member states and that its report is based on 23 of 28 EU member states, plus Norway, Iceland, and Lichtenstein.

Going forward, it remains to be seen if we see fines as eye-popping as the one France’s data protection regulator, CNIL, imposed on Google last month. CNIL fined the company $57M for failing to comply with GDPR, specifically for not obtaining user consent to process data for ad personalization.

“It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion Euro fines recently on large tech companies,” DLA Piper wrote in the report.

Having a data-centric data protection strategy, can be key to demonstrating GDPR compliance and ensuring the data of EU citizens can be protected at rest, in use, and in motion.

Tags: GDPR, Data Protection

Recommended Resources


  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.