On 25 May 2018 new data breach notification laws came into force across Europe which fundamentally changed the risk profile for organizations suffering a personal data breach.
Under the EU General Data Protection Regulation - 'GDPR' - personal data breaches which are likely to result in a risk of harm to affected individuals must be notified to data regulators. Where the breach is likely to result in a high risk of harm, affected individuals must also be notified.
"In the 8 months since GDPR has applied across Europe, there have been more than 59,000 personal data breaches notified to regulators."
Sanctions for failing to comply with the new notification requirements include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Although as yet untested in the courts, it is likely that consolidated group revenues will be in the cross-hairs of regulators when they calculate fines.
There is a very short deadline for notification to data protection regulators. Organizations which determine the purposes and means of processing personal data must notify personal data breaches without undue delay and, where feasible, no more than 72 hours after having become aware of it. Where the requirement to notify affected individuals is triggered, these notifications must be made without undue delay.
This report takes a closer look at the number of breaches notified to regulators and the first fines issued under the new GDPR regime for the period from 25 May 2018 to International Data Protection Day on 28 January 2019.