More than 160,000 data-breach notifications have been reported to the authorities since Europe’s new digital privacy regulation came into force. The number of breaches and other security incidents being reported is still increasing.
According to an analysis done by law firm DLA Piper, it was found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, there was an average of 247 breach notifications per day the first eight months. Ever since it has risen to an average of 278 notifications a day.
Ross McKean, partner at DLA Piper, specializing in cyber and data protection stated that GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.
The total cost of GDPR-related fines paid according to the GDPR Data Breach Survey comes to be €114m ($126m/£97m). The largest fine paid so far was the €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
The UK Information Commissioner’s Office has issued two huge fines relating to data-protection infringements, but neither of the organizations involved have come to a final agreement over the payments.
British Airways was issued with a £183m ($238m/€213m) fine in last year due to cyberattacks against its systems which lead to the stealing of personal details of around 500,000 customers.
After conducting an extensive investigation, the ICO concluded that information was compromised by “poor security arrangements” at British Airways.
Then the ICO issued a fine of £99m ($124M/€112m) to Marriott Hotels for a data breach that exposed the personal details of 339 million guests around the world – including 30 million European citizens and seven million UK citizens.
In 2014, the hackers breached Starwood Hotels which was subsequently purchased by Marriott in 2016, but the breach wasn’t discovered and patched until 2018.
Both Marriott and British Airways are appealing their fines.
Under GDPR, the organizations can be fined up to four per cent of their annual turnover if they are found to be irresponsible with security following a data breach. It is believed that just one-third of organizations are fully GDPR-compliant.
The total amount of fines imposed so far is relatively low when compared to the potential maximum fines that can be imposed under GDPR.
McKean indicated they are still in the early days of enforcement and that they expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.