Although GDPR has produced a massive shift in personal data protection, European countries are faced with the increasing number of data breaches. According to data gathered by PreciseSecurity.com, the Netherlands, Germany, and the UK topped the European rank for the number of data breaches, with more than 100,000 reported cases in total so far.
The EU’s General Data Protection Regulation or GDPR came into force on 25 May 2018. Since then, the total number of reported data breaches jumped to more than 160,000, revealed the DLA Piper GDPR Data Breach Survey 2020.
This rising trend shows that hackers see personal information as highly valued data to compromise. However, it also indicates many organizations are still struggling to comply with data privacy legislation, despite the prospect of substantial fines.
The Netherlands reported the highest number of data breaches since GDPR came into force, 40,647, so far. Germany ranked second with 37,636, followed by the United Kingdom with 22,181 data breaches.
The Netherlands also has the highest number of GDPR data breaches per 100,000 people. From May 2018 till January 2020, this figure reached 147.20 violations. Ireland ranked second with 132.52 data breaches per 100,000 of its inhabitants. With 115.43 breaches per 100,000 people, Denmark took third place on this list.
The rising number of data breaches also increased the total value of the GDPR fines imposed on European organizations and companies. The 2020 data show that the ten largest GDPR breaches caused nearly €450 million worth penalties so far. Compared to PreciseSecurity.com data from November 2019, the amount of ten biggest GDPR fines increased for €48 million in just three months.
Analyzed by countries, $314.9 million or nearly 70% of that amount was imposed by the UK’s Information Commissioner’s Office. In July 2019, British Airways was fined a record €204.6 million for a data breach, which is still the highest data breach penalty in the world. The ICO fined the British airline after the Magecart group used card skimming to collect the personal and payment information of up to half a million their customers.
The second highest data breach penalty of €110.4 million relates to a cyber incident notified to the ICO by American multinational company Marriott International, in November 2018. The event caused exposure of approximately 339 million guest records, of which 30 million connected to residents of 31 European countries and another 7 million to UK citizens.
Google’s €50 million worth fine imposed by France’s data protection regulator, CNIL, ranked third on this list. The fine was issued because Google failed to provide enough information to users about its data consent policies.
The fourth-largest GDPR data breach penalty of €27.8 million was imposed on Italian telecommunications operator TIM SpA in January 2020. The Italian Data Protection Authority, Garante received complaints that the telecommunications company placed promotional phone calls without consent and punished it for violations of the General Data Protection Regulation.