Five years of the GDPR: an overview

The European Union's General Data Protection Regulation (GDPR) has now been in effect for over five years, marking a significant milestone in the realm of data privacy and protection. Since its official implementation on May 25, 2018, the GDPR landscape has evolved, and new data breach statistics have emerged, including insights from DLA Piper's latest annual General Data Protection Regulation (GDPR) Fines and Data Breach Survey.

Reflecting on 5 years of GDPR

Over the past five years, most organizations have adapted to GDPR's requirements, avoiding consequences such as hefty fines, reputational damage, and revenue loss. However, not all organizations have been equally successful in protecting themselves from data breaches.

Recent insights from DLA Piper's survey reveal updated statistics on data breaches since GDPR's implementation:

• Data protection supervisory authorities across Europe have issued a total of EUR 1.64 billion (USD 1.74 billion/GBP 1.43 billion) in fines since January 28, 2022, reflecting a year-on-year increase in aggregate reported GDPR fines of 50%.
  
• This figure is more than double the aggregate value of fines issued in 2021, demonstrating data protection supervisory authorities' growing confidence and willingness to impose high fines for breaches of the GDPR.
  
• The increase in data breach notifications has started to level off, with an average of 300 notifications per day from January 28, 2022, to January 27, 2023, compared to 328 in the previous year. There were approximately 109,000 personal data breaches reported during this period, a slight decrease from the previous year, possibly due to more mature GDPR notification procedures and increased caution among organizations regarding potential investigations, fines, and compensation claims.
  
• The Netherlands tops the list as the country with the most reported data breaches. Since the GDPR became a requirement, they have reported 117,434 data breaches. Germany is the runner-up (with 76,967 reported data breaches) with the United Kingdom (with 49,213 reported data breaches) bringing up the close for the top three. High numbers but it can be said that these countries take legislation seriously! 
  

Source: DLA Piper GDPR Fines and Data Breaches Survey 2023

• The top 5 countries in terms of GDPR fines imposed from 25th May 2018 are:

• • • Ireland: €1,303,514,500
    • Luxemburg: €746,345,675
    • France: €428,238,300
    • Spain: €84,758,979
    • Germany: €76,310,455

Source: DLA Piper GDPR Fines and Data Breaches Survey 2023

European data protection authorities

The General Data Protection Regulation (GDPR) is the main law in Europe and though it has been in place since 2016, it didn't become enforceable until May 2018. European member states are therefore obliged to follow it, though many countries have their own data privacy authorities to report data breaches. Some examples follow below: 

• The Autoriteit Persoonsgegevens (AP) is the authority for reporting data breaches in the Netherlands. As an organization, you must report a data breach here within 72 hours.
• In Germany the national authority is the Bundesdatenschutzgesetz (BDSG). 
• The United Kingdom has the Information Commissioner’s Office (ICO) which protects the data of their civilians. 
• Ireland is covered by the Data Protection Commission (DPC) 
• In Sweden the Integritetsskyddsmyndigheten (IMY) makes sure civilians’ data is protected.
  
• In Belgium the Autorité de protection des données (APD) also known as the Gegevensbeschermingsautoriteit (GBA) is where all the data breaches get reported. 
  
• Datatilsynet is the Danish authority on data protection and data breaches.

Continuing adjustments in the GDPR landscape  

While GDPR has been in place for over five years, data breaches remain a persistent concern. In 2022, numerous data breaches were reported, emphasizing the ongoing need for robust data security measures. Ensuring data security remains a top priority for organizations to protect sensitive information effectively.

Here is a brief overview of what's changed since the introduction of GDPR. 

The legal bases for collecting personal data:

• Unambiguous consent
• Contractual Necessity
• Compliance with legal obligations
• Vital interests
• Public interests
• Legitimate interests
  
  

Technical and organizational measures

• Register with all processing operations
• Data protection policy
• (Digital) security
  
  

In addition, people involved have been given more rights:

• Right to access data
• Right to make changes (rectification)
• Right to be forgotten 
• Right to restriction of processing
• Right to carry over data 
• Right to information 
  
  

The GDPR was introduced to protect the personal data of users and reduce the risk of security breaches. It goes without saying that people have been given more rights with regard to their personal data. That's a good thing, too! You want personal information to stay safe and secure, so it's in everyone's best interest to comply with the GDPR. 

European data protection authorities

The General Data Protection Regulation (GDPR) is the main law in Europe and though it has been in place since 2016, it didn't become enforceable until May 2018. European member states are therefore obliged to follow it, though many countries have their own data privacy authorities to report data breaches. Some examples follow below: 

• The Autoriteit Persoonsgegevens (AP) is the authority for reporting data breaches in the Netherlands. As an organization, you must report a data breach here within 72 hours.
• In Germany the national authority is the Bundesdatenschutzgesetz (BDSG). 
• The United Kingdom has the Information Commissioner’s Office (ICO) which protects the data of their civilians. 
• Ireland is covered by the Data Protection Commission (DPC) 
• In Sweden the Integritetsskyddsmyndigheten (IMY) makes sure civilians’ data is protected.
  
• In Belgium the Autorité de protection des données (APD) also known as the Gegevensbeschermingsautoriteit (GBA) is where all the data breaches get reported. 
  
• Datatilsynet is the Danish authority on data protection and data breaches.

The best defense against data breaches

No one wants to experience a data breach. Fortunately, there are many ways to prevent this. Here are some tips: 

• Train your employees. Make them aware of data security and prevent them from causing a data breach through, for example, a phishing attack.
• Use two-factor authentication when you exchange sensitive information.
• Use a password manager to strengthen your employees' passwords.

In conclusion, while GDPR has made significant strides in promoting data protection, the increase in fines and evolving trends underscore the importance of continued vigilance. Organizations must remain vigilant, adapting to evolving threats and regulations to protect the personal data of individuals while avoiding legal and reputational repercussions.