A fuller picture of data breach activity is beginning to develop in the European Union where a new survey from DLA Piper reveals that authorities in the European Union logged more that fifty-nine thousand (59,000) reports of personal data breaches since the General Data Protection Regulation came into force about eight months ago. The 59,000 reported breaches highlighted in the survey ranged from minor incidents, such as errant emails sent to the wrong recipient, to major cyber-hacks affecting millions of individuals. During the analysed time period, regulators have imposed ’91 fines’ for GDPR violations, but not all of them were related to exposure of personal data. For example, the highest one was a recent €50 million fine imposed by the French data protection authority (CNIL) on Google for processing personal data for advertising purposes without obtaining the permission required under GDPR. In Germany, the regulators imposed €20,000 fine on a company for failing to protect employee password with cryptographic hashes, while in Austria a €4,800 fine was issued for operating an unauthorised CCTV system that partially surveilled a public sidewalk.
In Malta, although a small country, a significant number of data breeches have been reported. The report finds a mention that over one hundred (100) data breaches were registered with the Information and Data Protection Commissioner (IDPC) out of which seventeen (17) fines have been imposed. Per capita, the Maltese figures are significant.
The GDPR requires data controllers to notify regulators whenever they experience a data breach. As a rule, and as far as Malta is concerned, data controllers must report a data breach to the IDPC and the notification must typically occur within 72 hours of becoming aware of it. However, there is an exception to this rule, breach notification to the IDPC is not required where the data breach is unlikely to result in a risk to rights and freedom of natural person.
The GDPR also obliges data controllers to notify affected data subjects without undue delay in the event of data breach which is likely to result in a high risk to the rights and freedom of natural persons. However, notification to the data subjects is not required when:
- The risk of harm is remote because the personal data is protected;
- The data controller has taken measures to protect against the harm;
- Notification would require disproportionate efforts (but here, a public communication or similar measure would be required).
To read the full ‘DLA Piper data breach survey please visit this link.
For more information about GDPR contact us.