The GDPR took effect on 25 May 2018. It strengthened existing rules on the collection, use and disclosure of personal data and brought in a tougher framework for oversight and sanctions. It also provided a range of new rights to data subjects and imposed a number of new obligations on businesses. This includes a new duty to report major data breaches.
The GDPR requires organisations to disclose any breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Since the GDPR took effect, a number of major data breaches have been announced, including incidents reported by airlines British Airways and Cathay Pacific and the Marriott hotel group, although, in EU terms, it remains unclear whether those incidents are being considered under the GDPR or earlier legislation.
Pre-GDPR, it was only in a few sectors, such as telecoms and banking, that companies faced obligations to report data breaches, although voluntary reporting was considered best practice.
A number of data protection authorities around Europe have in recent months confirmed that the introduction of the new data breach notification regime has led to a rise in reported data breaches. For example, in December last year the UK Information Commissioner's Office (ICO) announced that it had, at that stage, received more than 8,000 reports of data breaches since the GDPR took effect.
In November last year, Out-Law.com asked the European Data Protection Board (EDPB) how many post-GDPR data breaches it was aware had been reported to data protection authorities across Europe.
Citing figures up to 25 October 2018, the EDPB said around 27,000 data breaches had been notified to the authorities, but it cautioned that figures may be "incomplete" and were for estimate only as they were "based on voluntary contributions" from the individual watchdogs which it said were under "no obligation to report the total number of data breaches" to it since the breaches "only need to be notified to the EDPB in cross-border cases when the consistency mechanism is triggered".
More recent figures collated by the EDPB were publicised by the European Commission late last month.
The Commission said then that 41,502 data breaches had been reported to data protection authorities since May 2018, although it said it could not verify if all the reported figures related to breaches reported under the GDPR or whether some were reported under the previous legislation.
Subsequently, another law firm has estimated that there has in fact been nearly 60,000 data breaches reported since the GDPR began to apply, although it has admitted that it has not gathered data from every EU member state data watchdog and that its estimates are based on "best approximations" and its own extrapolations in relation to some of the data.
Data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com, said: "The most reliable data regarding the volume of data breaches that have been reported by companies under the GDPR is that disclosed by the individual data protection authorities themselves. It is clear from what the ICO, as well what counterparts in France, Ireland and the Netherlands, for example, have publicly disclosed, that the GDPR has spurred a significant increase in the notification of breaches."
"Regardless of the precise figure, the upward trend serves to highlight the increased awareness there is among businesses of their obligations under the GDPR. The introduction of the Regulation drew a lot of media and commentary, and it is clear that this has had a knock-on effect on raising awareness," she said.
"It is interesting that the Commission also highlighted the growing number of data protection complaints that national watchdogs have seen since the GDPR. This also reflects the public's raised awareness of their rights under data protection law, although it is notable that longstanding issues over compliance in telemarketing activities and in sending marketing emails, which fall subject to the GDPR's sister 'e-Privacy' rules, remain the most complained about issues. Those findings accord with what the ICO said in its last annual report and its latest recent update on regulatory action it has taken," Voznick said.