According to a Linklaters analysis, there has been a major increase of data breach notifications to data protection authorities, with an average increase in notifications of 66 percent compared to Year 1 of the EU General Data Protection Regulation (‘GDPR’).
However, the UK has bucked the trend, reporting a decrease. The analysis covered seven European countries, including Belgium, France, Germany (Free State of Bavaria), Italy, Poland, Spain and the UK, within a one-year period (May 15, 2018 to May 24, 2019).
In the UK, the number of data breach notifications has dropped by 17 percent to 11,499, whereas, numbers almost doubled in France, with a 97 percent increase to 2,287, and also soared in Spain, reporting 1,608 notifications, representing a 58 percent increase compared to Y1. The increase in both France and Spain can be explained because companies are more aware of their obligations and many of them were still undergoing their compliance programs during Y1, says Linklaters.
Following that trend, Poland has reported a relatively high number of notifications in comparison to other EU countries with 6,039 data breach notifications in 2019. This is likely to be due to the relatively low threshold set by the local data protection authority (DPA), consequently, most companies adopt a safe approach and prefer to notify even non-material data breaches.
Factors contributing to the UK’s decrease in data breach notifications include:
- Organizations over-reporting following the initial implementation of the GDPR;
- The UK DPA (the ICO) issued a warning on the over-reporting of data breaches; and
- The UK had particularly high breach notifications compared to other countries in Y1 of the GDPR.
According to the Linklaters analysis, the majority of breach notifications stemmed from breach of confidentiality/access by unauthorized third parties and the main categories of data subjects concerned were clients and employees. The key sources of breaches ranged from:
- External malicious acts, for example, hacking or scam;
- Sending e-mails/documents to incorrect recipients;
- Loss or theft of unsecured devices, such as, mobile phones and laptops; and
- Inadequate security measures of data available over the Internet, for example, unproperly secured databases.
Another trend has also been analysed by Linklaters, the number of fines that have been published so far under the GDPR in the last year, with only one fine reported in the UK while 112 fines have been ordered by the Spanish DPA, 10 by the Italian DPA, 9 by the Belgian DPA, 6 by the CNIL in France, 13 in Germany and 5 in Poland. However, the UK ICO has EUR 314,000,000 worth of proposed fines in its pipeline.