A survey by multinational law firm Linklaters revealed that GDPR-related data breach notifications across European countries have increased by 66%, compared to the first year of the GDPR (from May 25, 2018 to May 24, 2019). However, the U.K. witnessed a decline in notifications, with a 17% drop compared to the notifications reported in the first year of the GDPR (11,499 notifications). The numbers doubled in France, with a total of 2,287 notifications (97% increase). Spain reported 1,608 data breach notifications, with a 58% increase. It is also found that Poland reported a high number of notifications when compared to other EU countries with 6,039 data breach notifications in 2019.
The analysis stated that the surge in data breach notifications in both France and Spain is because the companies were aware of their data security obligations. The reasons for the decline in data breach notifications in the U.K. include:
- Organizations over-reporting data breaches after the initial implementation of the GDPR
- The U.K.’s Information Commissioner’s Office (ICO) issued a warning on the over-reporting of data breaches
- The U.K. is having high breach notifications compared to other countries in the first year of the GDPR
Most of the data breach notifications stemmed from breach of confidential data or access by unauthorized third parties. The survey also highlighted that attackers mostly targeted on clients and employees to steal data with various hacking activities like malware attacks, phishing e-mails, and compromising victims’ unsecured devices.
In addition, the analysis also highlighted the number of fines ordered under the GDPR in the last year. It said that only one fine was reported in the U.K., while 112 fines were ordered by the Spanish DPA, 10 by the Italian DPA, 9 by the Belgian DPA, 6 by the CNIL in France, 13 in Germany, and 5 in Poland. The findings are based on the data analysis across seven European countries, namely Belgium, France, Germany, Italy, Poland, Spain, and the U.K.
Tanguy Van Overstraeten, Partner and Global Head of Linklaters’ Privacy and Data Protection Practice, said, “The harmonization of data protection rules across the EU has been largely successful under the GDPR; however, there are still significant differences among Member States – impacting uniformity of enforcement across the EU. Only harmonizing the approach towards the determination of sanctions will not be sufficient, the interpretation of the rules should also be common to all the Member States. Businesses need certainty and a more unified approach across the EU.”
Overstraeten added “There is also a danger of GDPR fatigue amongst businesses and the Covid-19 crisis is impacting budgets which could limit resources to ensure compliance going forward. The further simplification and harmonization of data protection rules across the EU will be key to ensure companies can sustain this effort.”
