DAC Beachcroft's EU Breach Notification Heat Map: A divided Europe

Published 29 January 2019

Leading up to the General Data Protection Regulation’s (GDPR) implementation, one of the most widely anticipated changes were the breach notification requirements imposed on data controllers.

The GDPR obliges Data Controllers to report data breaches to the relevant national Data Protection Authority (DPA) within 72 hours of becoming aware of the breach, unless the breach is unlikely to pose a risk to individuals. If it is further determined that the breach poses a high risk to individuals, then data controllers are also obliged to inform those affected individuals.

These obligatory notification requirements were a novelty for a majority of Member States, and many commentators including ourselves predicted a significant rise in breach notifications post-GDPR. What wasn’t clear, however, was whether that rise would be felt in every Member State or only certain jurisdictions.

In order to investigate the effect of the new notification rules across Europe, our Cyber & Data Risk team researched notification levels before and after the implementation of GDPR (between 25 May and 25 November 2018). Our research was conducted via freedom of information requests, asking each EU DPA for the total number of notifications they had received since 25 May 2018, as well as any comparable data for previous years.

Since each regulators’ statistics varied, we adopted the uniform measurement of ‘Notifications per week’ in order to compare the data received. The resulting Heat Map allowed us some interesting observations:

Our Breach Heat Map shows a sharp contrast in breach number themes across the continent. Only Italy and Portugal failed to provide statistics in response to our request.

The “busiest DPAs” handle around 100 times more notifications than others.

Those DPAs located in northwest Europe handled around 100 times more notifications per week than those in the southeast. Four countries (UK, Germany, Ireland and the Netherlands) handled over 100 notifications per week. Relatively high numbers were also reported by the Scandinavian countries and Denmark.

We doubt this is because there are more breaches happening in the northwest of Europe. Rather, we suspect the figures are down to range factors such as GDPR awareness in the Member State, resources of the DPA in that Member State, national populations, and, in the case of Ireland, the heavy presence of data heavy multi-nationals.

Future Predictions

We expect that over the next 6 months, breach notification levels will begin to level out in those Member States with the highest notification levels. For those jurisdictions with lower notification levels, we would expect notifications continuing to increase as awareness grows. However, we expect an imbalance will remain across Europe.

This imbalance may have a secondary effect. There is also an inevitable lag, but undeniable connection, between breach notifications and the resulting regulatory sanctions. We have already seen the first few GDPR fines being issued by Member States, and so far they appear varied. However, as more sanctions are issued, it is fair to assume that those countries with more data breach notifications will experience more sanctions.

The great concern would be that forum shopping would take place by less scrupulous controllers seeking to place their main establishments in jurisdictions where there appears to be less regulatory activity. The role of the European Data Protection Board and its oversight of the harmonious application of the GDPR will be vital in the coming years.

For further information on breach notifications, please contact one of our Cyber & Data Risk team.

Our Breach Response Planner

The DAC Beachcroft Breach Response Planner (BRP) provides a step-by-step guide to building a practical plan for managing data breaches and other cyber incidents. The planner includes helpful tips and default content that can be easily customised. Your plan is easily and securely accessed at any time, from anywhere, on any device. It connects all your key stakeholders keeping them informed and engages with best-practice breach response.

Find out more.