Linklaters analysis shows a 66% increase in data breach notifications across major European markets

  • Across major European markets there has been an average increase of data breach notifications of 66% compared to Y1 of the GDPR.
  • The number of declarations is raising significantly and consistently throughout major European markets; apart from the UK where the number of data breach notifications has decreased by 17% due to “rightsizing” following over-reporting in Y1.

According to a Linklaters analysis, there has been a major increase of data breach notifications to data protection authorities, with an average increase in notifications of 66% compared to Year 1 of the EU General Data Protection Regulation (‘GDPR’) (25 May 2018 to 24 May 2019). However, the UK has bucked the trend, reporting a decrease. These findings come ahead of the European Commission’s two-year review of the GDPR due to be released on Wednesday, 24 June 2020. The analysis covered seven European countries, including Belgium, France, Germany (Free State of Bavaria), Italy, Poland, Spain and the UK.

In the UK, the number of data breach notifications has dropped by 17% to 11,499, whereas, numbers almost doubled in France, with a 97% increase to 2,287, and also soared in Spain, reporting 1,608 notifications, representing a 58% increase compared to Y1. The increase in both France and Spain can be explained because companies are more aware of their obligations and many of them were still undergoing their compliance programmes during Y1. Following that trend, Poland has reported a relatively high number of notifications in comparison to other EU countries with 6,039 data breach notifications in 2019. This is likely to be due to the relatively low threshold set by the local data protection authority (DPA), consequently, most companies adopt a safe approach and prefer to notify even non-material data breaches.

Factors contributing to the UK’s decrease in data breach notifications include:

  • Organisations over-reporting following the initial implementation of the GDPR;


  • The UK DPA (the ICO) issued a warning on the over-reporting of data breaches; and


  • The UK had particularly high breach notifications compared to other countries in Y1 of the GDPR.

According to the Linklaters analysis, the majority of breach notifications stemmed from breach of confidentiality/access by unauthorised third parties and the main categories of data subjects concerned were clients and employees. The key sources of breaches ranged from:

  • External malicious acts, for example, hacking or scam;
  • Sending e-mails/documents to incorrect recipients;
  • Loss or theft of unsecured devices, such as, mobile phones and laptops; and
  • Inadequate security measures of data available over the Internet, for example, unproperly secured databases.

Another trend has also been analysed by Linklaters, the number of fines that have been published so far under the GDPR in the last year, with only one fine reported in the UK while 112 fines have been ordered by the Spanish DPA, 10 by the Italian DPA, 9 by the Belgian DPA, 6 by the CNIL in France, 13 in Germany and 5 in Poland. However, the UK ICO has EUR 314,000,000 worth of proposed fines in its pipeline.

Tanguy Van Overstraeten, Partner and Global Head of Linklaters' Privacy and Data Protection Practice, comments:
The harmonisation of data protection rules across the EU has been largely successful under the GDPR; however, there are still significant differences among Member States – impacting uniformity of enforcement across the EU. Only harmonising the approach towards the determination of sanctions will not be sufficient, the interpretation of the rules should also be common to all Member States. Businesses need certainty and a more unified approach across the EU.
There is also a danger of GDPR fatigue amongst businesses and the Covid-19 crisis is impacting budgets which could limit resources to ensure compliance going forward. The further simplification and harmonisation of data protection rules across the EU will be key to ensure companies can sustain this effort.”