<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Data Breaches and the GDPR - 1 Year Later

Topics: Data Protection, Data Loss Prevention, Data Breach, GDPR, General Data Protection Regulation, Data Security

Posted: 12 June 2019

Data Breaches and the GDPR 1 Year Later

For some, it might have felt like the GDPR was a little bit of an anti-climax. Relative hysteria in the build up to May 2018 has not led to the end of marketing departments, mass administration of fined companies or denial of service by DPIA's.

Instead, in the 12 months since its enforcement, all has been a little quiet.

Or has it?

The GDPR in Numbers

According to global law firm DLA Piper, in the first 8 months of enforcement there were over 59,000 reported data breaches in 23 of the 28 EU member states, with the United Kingdom in third place.

GDPR in numbers

Interestingly as a ratio per 100,000 people by population, both the United Kingdom and Germany rank tenth and eleventh respectively, despite the overall number of data breaches reported across all member states increasing since May 2018.

The Netherlands remained at the top for number of breaches to population ratio, followed by Ireland and Denmark. Notably, the Danish supervisory authority rules that emails containing sensitive information must be sent using email encryption services.

Despite the intended harmonisation of data protection legislation, stricter rules in some member states could be increasing the data breach reporting numbers disproportionately, in comparison to others.

It is also worth considering that under GDPR rules, non-EU based organisations processing personal data of data subjects within the EU are mandated to register an EU-based office (main establishment), for reporting purposes. This location can be in any of the 28 member states under the “one-stop shop” principle.

Companies such as Microsoft, Google and Facebook have all established themselves in Ireland; and many others have chosen the Netherlands as their base of operations. While there are no specific numbers on how many of the reported breaches are attributed to such organisations, this could again be having a disproportional affect on reporting numbers in those member states.

[You may also be interested to read "3 Worst Data Breaches From 2018 & How to Avoid Them"]


Who Has Been Fined?

According to DLA Pipers report, there have been 91 penalties imposed so far under the GDPR. It is important to note that not all 91 are related specifically to data breaches. Some are for failure to disclose breaches or failing to honour data subjects’ rights.

For example, in January of this year, Google was fined 50 million EUR by France’s supervisory authority (CNIL) for processing personal data without a legal basis. In this case, CNIL chose to use the “4% of annual global turnover” as their basis for calculating the penalty.

Germany accounts for 64 of the 91 penalties applied, including the second largest penalty applied to date – an 80,000 EUR penalty from the LfDI against an organisation that published health data on the internet.

Not all penalties are as high with notable cases such as one in Austria, where a company was issued a penalty of 4,800 EUR for unlawful and excessive CCTV of a public space.

[You should also check out "Everything You Need to Know About CCTV and the GDPR"]


What’s Next for the GDPR?

It's still early days for the GDPR. Some of the data breaches reported in the past 12 months are even acknowledged to have occurred before May 2018 and therefore subject to previous data protection legislation.

However, for some the bite has indeed been worthy of the bark. Despite the relative low coverage in the media in comparison to its build up.

The advice is still to engage with legal, compliance and IT departments to ensure you are doing to follow the articles of the GDPR. What might have seemed a Y2K-bug like build up, is having real consequences for those who fall foul.

Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts