59,000 cases in GDPR’s first year.

Blog | Assessment & Strategy


As GDPR reaches its first birthday the news has broken that there were no fewer than 59,000 breaches reported to regulators in the first year of its existence

Introduced in May 2018, the new General Data Protection Regulations (GDPR) revolutionised the reporting of data breaches across Europe and though no major fines have yet been issued it is understood that there have already been 91 penalties issued which were not large enough to make the news pages.


“The large number of reported breaches and the small number of penalties issued leads you to think the authorities across Europe are dealing with a pretty big backlog of cases and it’s only a matter of time before the bigger penalties are imposed,” said Mike Wills of CSS.


The two largest fines issued in the UK last year were both for £½ million levied as a result of investigations carried out under the old Data Protection Act of 1998.


Failure to protect

Credit reference agency Equifax was fined £500,000 in September for failure to protect the information of 15 million UK citizens from a 2017 cyber attack and a month later Facebook were fined a similar amount for their role in the Cambridge Analytica scandal.


The maximum penalties under GDPR are somewhat larger. A medium sized breach could cost a firm up to €10 million or 2% of its annual turnover. More serious breaches could provoke penalties of up to €20 million or 4% of turnover.


7,300 breaches a month

Research carried out by global law firm DLA Piper shows an average of 7,300 breach reports a month since GDPR began. Incidents ranged from emails being sent to the wrong recipient to major attacks involving millions of records being compromised.


Top transgressor was the Netherlands with 15,400 breaches, followed by Germany with 12,600 and the UK with 10,600.


The story so far

Mike Wills said: “This is the story so far and experts believe that the number of breaches remains higher than the number reported to regulators like our own Information Commissioner’s Office (ICO).


“The number of fines issued so far has been relatively low, but regulators across Europe are still dealing with a massive backlog of reports which is going to take time to clear so I think we can expect the incidence of fines and the size of penalties will grow as GDPR enters its second year.


How prepared are you?

The ICO has expressed concern that many firms still don’t have the procedures, technology or trained personnel in place to deal with possible data breaches.


Cyber security can often be low on the list of priorities of senior management who are having a tough time in today’s uncertain and ultra-competitive environment, but it’s no good closing the stable door once the horse has bolted.


A major cyber attack has the potential to bring a business to its knees. As well as the financial cost of putting things right there is the loss of reputation and the potential exodus of a sizeable chunk of your customer base who are not pleased that their personal financial information has ended up on the dark web where credit card details can be bought for as little as £1. A robust information security regime can give you the assurance that you’re not going to be the next breach big headline.


Published: 17th July 2019
Area: Assessment & Strategy