British firms suffer 10,000 data breaches in GDPR era

Organisations in the UK have been hit by over 10,000 data breaches since the arrival of the General Data Protection Regulation (GDPR) on May 25th 2018, a study finds.

That ranks Britain third in Europe’s data breach league table, behind Germany, which reported 12,600 breaches, and the Netherlands on the top spot registering 15,400. Countries including Liechtenstein, Iceland, and Cyprus registered 5, 25 and 35 breaches respectively.

Across Europe, private and public sector companies have forwarded a total of over 59,000 data breach reports to countries’ regulators.

The research, conducted by legal firm, DLA Piper highlighted that the Netherlands also ranked highest in terms of the number of data breaches per capita, with 89.8 breaches flagged up for every 100,000 people. On the same scale, Britain ranked 10th and Germany one behind on 11th.

The findings draw on DLA Piper research “covering 23 of the 28 EU Member States, together with figures for Norway, Iceland and Lichtenstein (the three additional European Economic Area Member States), we calculate that there have been 59,430 reported data breaches over the same period across Europe,” the firm said.

DLA partner, Ross McKean said:

“GDPR is driving personal data breaches out into the open. Our report confirms this with more than 59,000 data breaches notified across Europe in the first 8 months since the GDPR came into force.”

The new laws arrived amid a wave of reports about the penalties that businesses could face for the most severe data protection transgressions, with the worst offences for non-compliance potentially attracting regulator fines of 4% of annual turnover or €20m, whichever is the greater.

Since last May, the world has seen that these were by no means empty threats, as regulators around the world have used the GDPR’s teeth to force firms to meet new standards relating to data protection, privacy and security.

The legal firm’s report also found that 91 fines have been issued for rule-breaking under the GDPR, but not all of these are due to breaches of personal data.

Facebook, Google, Marriott International and Cathays Pacific are just a few of the big names to have faced hugely embarrassing and costly data breach investigations over the last 12 months.

“The GDPR completely changes the compliance risk for organisations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation,” McKean added.

Google has been the recipient of the largest of the 91 GDPR fines issued so far. The tech giant was hit with a €50m (£44m) penalty by French regulator CNIL in January 2019 for advertising without having proper consents in place.

DLA Piper has said that they anticipate heavier punishment will be meted out for breaches that threaten the wellbeing of victims.

“Regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals. We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications,” said Sam Millar, a partner at DLA Piper.

In the immediate wake of the GDPR’s introduction, the Information Commissioner’s Office said that data protection complaints rose sharply, with the watchdog recording 6,281 complaints in the five weeks after May 25th. The figure is over double that recorded in the same time frame in 2017.

In the UK, British Airways has been one of the biggest companies to come under fire for non-compliance. Investigations into a data breach that was reported by the carrier in September 2018 revealed that 244,000 payment cards had potentially been compromised in an intrusion that took place between mid-April and the end of June last year.

Among the financial penalties issued across Europe were:

  • A €20,000 fine for failure to hash employee passwords, which led to a data breach
  • An €80,000 fine in January 2019 for health data being published online
  • A €4,800 fine imposed in Austria after a CCTV pavement surveillance operation was deemed excessive
  • Four fines totalling a combined value of €11,500 in Cyprus
  • A total of 17 fines in Malta

Tech firms under the microscope

Indeed, not all data breach notifications and user complaints lead to a fine, but the action demonstrates that the GDPR is working, especially in light of the huge penalties being levied against tech giants for poor personal data handling practices.

YouTube, which is owned by Google, is under investigation for non-compliance with GDPR following complaints filed by None of Your Business, with the NGO citing “right to access” violations under the GDPR’s Article 15.

If the charges stick, the popular video content platform could be hit with a fine of up to €3.87bn.

Complaints of a similar nature are also being made about other household tech names, including Apple, Amazon, Netflix, Spotify, SoundCloud, Flimmit, and DAZN.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.