According to a survey from DLA Piper, 59,000 data breach notifications were performed in the EU from the coming into force of the GDPR, with unusual figures for some countries that might hide compliance issues.
My law firm, DLA Piper, just published a report named “DLA Piper GDPR data breach survey: February 2019” as part of the initiatives of our cybersecurity group of which I am part.
The number of data breach notifications across the EU
The survey considers the period from the 25th of May 2018 when the GDPR became applicable to the 28th of January 2019 which was the data protection day.
The findings are interesting since over 59,000 data breach notifications have been reported across the European Economic Area. The Netherlands, Germany and the UK topped the table in the report with over 10,000 data breach notifications.
The Netherlands, with 89.8 reported breaches per 100,000 people topped the list also when the number of notifications were weighted against country populations, followed by Ireland and Denmark, with Greece, Italy and Romania that reported the fewest number of breaches per capita.
As to the number of fines, 91 fines were issued during such period and the € 50 million fine issued against Google by the CNIL, the French data protection authority, was definitely the highest (Read on the topic “What does Google € 50 million GDPR fine mean for privacy compliance?“).
What does such data mean on the status of GDPR compliance across the EU?
The major gap between The Netherlands with 15,400 data breach notifications and for instance Italy where only 610 data breach notifications were performed might show that in some countries data controllers adopt a prudent approach and prefer to notify a data breach, delegating to the data protection authority to assess it. On the contrary, in others data controllers are more reluctant in notifying data breaches and attempt to identify any possible reason why a data breach notification shall not take place (Read on the topic “Your To-Do list to get ready for a personal data breach under the GDPR“).
But – given that the gap between countries is so large – I am concerned that in some countries there is still not a culture around data protection compliance. They either are not even aware that a data breach took place or prefer not to notify it, hoping that they will not be investigated by the competent data protection authorities.
However, in countries like Italy, the data protection authority performs dawn raids relying on the personnel of the tax police. Such actions may lead for instance to a full back-up of the email database of some members of the company (e.g. the CEO), with limited possibilities to raise the legal privilage on internal communications. Such back-up could show internal communications on the data breach and decision taken on the matter by the company.
This is a very hot topic ad the moment for a number of our clients for which we are drafting internal policies on how to deal with privacy related dawn raids and are running internal trainings on the matter for different lines of business.
And this will be one of the topics that we will discuss with the head of the tax police in charge of privacy related investigations in Italy at our event of the 1st of March 2019 (You can find the details of the event here “Ispezioni privacy – cosa aspettarsi e come essere pronti?“).
There is still a long way before the apprach to privacy compliance will change, but you may find interesting the following article “Top 3 lessons learnt on how to be ready for handle a data breach“. Also, don’t forget to download our “DLA Piper GDPR data breach survey: February 2019“.