Add a bookmark to get started

Website_Hero_Abstract_Architectural_Shapes_P_0031_Mono
20 January 20202 minute read

DLA Piper GDPR Data Breach Survey 2020

Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25 May 2018

2021 Data Breach Report now available >>


According to DLA Piper's latest GDPR Data Breach Survey, data protection regulators have imposed EUR114 million (approximately USD126 million / GBP97 million) in fines under the GDPR regime for a wide range of GDPR infringements, not just for data breaches. France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over EUR51 million, EUR24.5 million and EUR18 million respectively. The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each.

Data breaches by country chart

Commenting on the 2020 report, Ross McKean, a partner at DLA Piper specialising in cyber and data protection, said: "GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations".

The highest GDPR fine to date was EUR50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for a data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling GBP282 million (approximately EUR329 million / USD366 million) although neither of these were finalised as at the date of this report.

Data breaches per capita chart

This report takes a closer look at the number of breaches notified to regulators across Europe and details the numbers of fines issued in different countries since the start of the new GDPR regime on 25 May 2018.

For further information on the report, or on DLA's data protection and cybersecurity practice, please contact Ross McKean.

Request the report


Access the 2019 report

Print