While the total figure was low compared to larger European countries, when calculated per capita, it was equivalent to 33 data breaches per 100,000 people.
The Netherlands reported both the highest number of breaches and the highest per capita ratio at 89.8 per 100,000 residents, followed by Ireland (74.9), Denmark (53.3), Finland (45.1) and Liechtenstein (39.9). The fewest breaches proportionately were recorded in Greece (0.6), Italy (0.9), and Romania (1.2).
The GDPR legal framework, which came into effect in the EU on 25 May 2018, provides guidelines on the collection and processing of personal information on individuals within the EU and obliges companies to report data breaches.
59,000 breaches reported
DLA Piper reported that there were 59,000 personal data breaches notified to regulators. They ranged from minor breaches, including errant emails sent to the wrong recipient, to cyber hacks affecting millions.
Under the GDPR law, fines can be issued for failing to comply with the regulation. DLA Piper wrote that 91 reported fines had been imposed under the new regime. “Not all of the fines imposed relate to personal data breach,” it wrote, adding that the highest GDPR fine imposed to date was for €50m. “This was a decision by the French data protection authority, the CNIL, made against Google in relation to the processing of personal data for advertising purposes without valid authorisation,” it said.
A total 64 fines appear to have been issued by German data protection authorities, according to the report. Maltese authorities issued 17 fines, a large number given the size of the country, the report points out.
“So far the level of fines have been low, certainly when compared to the maximum fines regulators now have the power to impose. However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of euros as regulators deal with the backlog of GDPR data breach notifications,” the report concluded, adding: “It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so.”