For some, it might have felt like the GDPR was a little bit of an anti-climax. Relative hysteria in the build up to May 2018 has not led to the end of marketing departments, mass administration of fined companies or denial of service by DPIA's.
Instead, in the 12 months since its enforcement, all has been a little quiet.
Or has it?
The GDPR in Numbers
According to global law firm DLA Piper, in the first 8 months of enforcement there were over 59,000 reported data breaches in 23 of the 28 EU member states, with the United Kingdom in third place.
Interestingly as a ratio per 100,000 people by population, both the United Kingdom and Germany rank tenth and eleventh respectively, despite the overall number of data breaches reported across all member states increasing since May 2018.
The Netherlands remained at the top for number of breaches to population ratio, followed by Ireland and Denmark. Notably, the Danish supervisory authority rules that emails containing sensitive information must be sent using email encryption services.
Despite the intended harmonisation of data protection legislation, stricter rules in some member states could be increasing the data breach reporting numbers disproportionately, in comparison to others.
It is also worth considering that under GDPR rules, non-EU based organisations processing personal data of data subjects within the EU are mandated to register an EU-based office (main establishment), for reporting purposes. This location can be in any of the 28 member states under the “one-stop shop” principle.
Companies such as Microsoft, Google and Facebook have all established themselves in Ireland; and many others have chosen the Netherlands as their base of operations. While there are no specific numbers on how many of the reported breaches are attributed to such organisations, this could again be having a disproportional affect on reporting numbers in those member states.
[You may also be interested to read "3 Worst Data Breaches From 2018 & How to Avoid Them"]
Who Has Been Fined?
According to DLA Pipers report, there have been 91 penalties imposed so far under the GDPR. It is important to note that not all 91 are related specifically to data breaches. Some are for failure to disclose breaches or failing to honour data subjects’ rights.
For example, in January of this year, Google was fined 50 million EUR by France’s supervisory authority (CNIL) for processing personal data without a legal basis. In this case, CNIL chose to use the “4% of annual global turnover” as their basis for calculating the penalty.
Germany accounts for 64 of the 91 penalties applied, including the second largest penalty applied to date – an 80,000 EUR penalty from the LfDI against an organisation that published health data on the internet.
Not all penalties are as high with notable cases such as one in Austria, where a company was issued a penalty of 4,800 EUR for unlawful and excessive CCTV of a public space.
[You should also check out "Everything You Need to Know About CCTV and the GDPR"]
What’s Next for the GDPR?
It's still early days for the GDPR. Some of the data breaches reported in the past 12 months are even acknowledged to have occurred before May 2018 and therefore subject to previous data protection legislation.
However, for some the bite has indeed been worthy of the bark. Despite the relative low coverage in the media in comparison to its build up.
The advice is still to engage with legal, compliance and IT departments to ensure you are doing to follow the articles of the GDPR. What might have seemed a Y2K-bug like build up, is having real consequences for those who fall foul.