29 June 2020

GDPR data breach notifications on the rise across Europe, study finds

Linklaters analysis shows 66% rise in notifications over the past year despite fall in the UK

By Ben Edwards

EC headquarters

The European Commission headquarters in Brussels: Tanguy Van Overstraeten is calling for further simplification and harmonisation of data protection Shutterstock

GDPR-related data breach notifications across major European markets have surged by two-thirds over the past year, according to a Linklaters analysis.

The only country to see a decline in notifications was the UK, which dropped by 17% compared to the first year of GDPR to 11,499 notifications, in part because UK organisations over-reported breaches between May 2018 and May 2019, the analysis showed.

The increase in data breaches in most cases involved confidentiality and access by unauthorised third parties, either through malicious acts such as hacking, sending emails or documents to the wrong recipients, and the theft or loss of unsecured mobile devices and laptops.

Tanguy Van Overstraeten, partner and global head of Linklaters’ privacy and data protection practice, said: “The harmonisation of data protection rules across the EU has been largely successful under the GDPR; however, there are still significant differences among member states — impacting uniformity of enforcement across the EU. Only harmonising the approach towards the determination of sanctions will not be sufficient, the interpretation of the rules should also be common to all member states. Businesses need certainty and a more unified approach across the EU.”

He added: “There is also a danger of GDPR fatigue amongst businesses and the Covid-19 crisis is impacting budgets which could limit resources to ensure compliance going forward. The further simplification and harmonisation of data protection rules across the EU will be key to ensure companies can sustain this effort.”

The analysis covered data from seven European countries, including Belgium, France, Germany, Italy, Poland, Spain and the UK. In France, notifications almost doubled to 2,287, while in Spain notifications increased by more than half to 1,609. The increase in notifications in France and Spain is because companies are now more aware of their obligations under GDPR, Linklaters said.

The number of fines published over the past year under GDPR has also been uneven across the continent. The UK’s data protection authority, the ICO, reported just one fine, compared to 112 imposed by the Spanish DPA. That said, the UK ICO also has €314m worth of proposed fines in the pipeline, Linklaters added.

Research published by DLA Piper in January found that total GDPR fines to that point was €114m with with France, Germany and Austria imposing the highest fines.

Further reading on data and privacy

Privacy fears move up global GCs' agendas as business confidence edges up — Poll shows fall in number of GCs who think Covid-19 impact will be severe amid concern over lockdown easing guidance

US company leaders admit value of data is tempting businesses to sidestep rules, survey finds — Survey shows 78% of respondents believe companies willing to take risks to unlock greater value despite privacy concerns

US company leaders admit value of data is tempting businesses to sidestep rules, survey finds — Survey shows 78% of respondents believe companies willing to take risks to unlock greater value despite privacy concerns

US companies lack resources to check on data privacy compliance, survey finds — More than half of respondents unsure if they are fully compliant with new regulations

Email your news and story ideas to: news@globallegalpost.com