Since GDPR was introduced last year, data regulators have been formally notified of nearly 60,000 personal data breaches which are “likely to result in the risk of harm to individuals”. The UK is responsible for around 17% of these with only Germany and the Netherlands reporting greater numbers.
These statistics have come from The DLA Piper GDPR Data Breach Survey, undertaken by the firm’s specialist cyber-security team. Between 25 May 2018 and International Data Protection Day on 28 January 2019, there were 10,600 breaches reported in the UK, while the Netherlands experienced the highest notifications at 15,400 followed by Germany with 12,600.
Under GDPR regulations, organisations are obliged to quickly notify regulators of “personal data breaches likely to result in a risk of harm to affected individuals” and are also obliged to notify the individuals if the breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms.”
The Information Commissioner’s Office (ICO) broadly defines a data breach as “a security incident that has affected the confidentiality, integrity or availability of personal data.” They go on explain that includes: if that data is lost, destroyed, corrupted or disclosed; if someone accesses it or passes it on without authority; and even if the data is made unavailable because it has been ransomware encrypted, lost or destroyed. Breaches include both accidental and deliberate causes meaning breach is more than just about losing personal data.
Examples cited by the ICO include: access by an unauthorised third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data.
This first tranche of reported breaches ranges from minor breaches to major cyber hacks impacting millions of individuals.
GDPR has seriously impacted the compliance risk landscape for businesses experiencing a data breach. Failure to report breaches can result in massive fines – up to €10 million, or 2% worldwide turnover of a business. DLA Piper are keen to state that their report focuses only reported data breaches. In reality so far, the fines for data breaches have been relatively low – but it’s likely the number and size of the fines will increase in the coming period.
The DLA Piper report concludes: “We anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications. It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so.”
This report underlines the responsibilities that businesses have when handling customer data of all kinds including payment data. Technology such as cloud-based solutions can help secure compliance and minimise risk by ensuring sensitive information such as credit card details is never recorded in the first place. Constraints such as GDPR, the Data Protection Act and PCI-DSS regulations are there to protect customers and, ultimately, the reputation of businesses – and with every public breach comes a further knock to consumer confidence.
To receive Ultracomms’ expert news first, click here.