The National Commission for Data Protection (CNPD), the body that enforces GDPR rules in Luxembourg, released figures on Friday for the period starting on 25 May and running through 27 September. A CNPD spokesman told Delano:
“We have received 158 complaints since 25 May, when the GDPR came into force. In total, we have already received 252 complaints in 2018, 52 more than in 2017.”
Organisations that hold personal data have reported, as required under GDPR rules, nearly 100 leaks and cyberattacks to the commission. “We have received 97 data breach notifications since 25 May,” the spokesman stated.
According to the CNPD figures released on 28 September:
- 56% of data breaches were caused by internal errors
- 36% were caused by external malicious activity
- 2% were caused by internal malicious activity
The most frequent causes of data breaches over the four month period were:
- Personal data mistakenly sent to the wrong person (32 incidents)
- Hacking (22)
- Phishing (8)
In addition, the CNPD recorded an increase in the number of inquiries that it has fielded from the public. The commission’s spokesman said that:
“There has also been an increase in written information requests (from 520 in 2017 to 837 in 2018) and legal opinions (22 in 2017 to 29 in 2018).”
Written information requests included:
“people asking for advice on data protection issues (for example, about surveillance in the workplace, data protection officers, data breaches) or having legal questions (GDPR, national law).”
Legal opinions are formal rulings published on the CNPD’s website.
Complaints up 60% in France, 250% in UK
Several of the CNPD’s European counterparts have issued similar figures. Last week France’s CNIL said that it received 3,767 complaints between 25 May and 25 September, compared to 2,294 during the same period the year before.
In the UK, there were 6,281 complaints filed with the Information Commissioner’s Office between 25 May and 3 July, up from 2,417 during the same period the previous year, according to the TechCrunch news site.
Ireland’s Data Protection Commission, the Irish Times reported on 30 July, had received a total of 743 complaints (or roughly 370 a month) since 25 May, up from an average of 230 complaints a month in 2017.