Significant Increase In GDPR Fines And Data Breach Notifications - Survey By DLA Piper
Global law firm DLA Piper's latest annual GDPR fines and data breach survey reports that nearly EUR1.1bn (NZD1.84bn) of fines have been imposed for a wide range of infringements of Europe’s General Data Protection Regulation.
This represents a 594% year on year increase in fines imposed since 28 January 2021 compared to EUR158.5m (NZD265.1m) during the same period last year. DLA Piper also found that the growth of breach notifications in the UK and Europe has continued with an 8% increase from last year’s average of 331 notifications per day to 356 this year and more than 130,000 personal data breaches notified in aggregate since 28 January 2021.
Nick Valentine, DLA Piper's Head of Technology and Data Protection in New Zealand, noted that following the introduction of the new and improved Privacy Act 2020 just over 12 months ago, New Zealand businesses are keenly watching the approach taken by international data protection regulators.
“DLA Piper's findings on breach notifications will be of particular interest, following several high-profile cyberattacks in New Zealand last year and the introduction of mandatory breach reporting under the new Privacy Act” he says.
While the increase in fines may be significant, the 2020 judgment of Europe’s highest court in the “Schrems II” case against Facebook continues to be the top data protection compliance challenge for many organisations. This impacts Kiwi businesses who are either caught by the extraterritorial scope of the GDPR or who need to exchange data with EU/UK customers or suppliers. The judgment requires organisations exporting personal data from Europe and the UK to third countries to carry out comprehensive mapping of those transfers and detailed assessments of the risk of interception by public authorities, greatly increasing the compliance burden on data exporters and importers.
Nick Valentine says "the judgment has significant impacts for New Zealand companies doing business across multiple jurisdictions, and highlights the importance of New Zealand maintaining its adequacy decision under GDPR (and the post-Brexit 'UK GDPR'), which is currently under review".
Valentine notes if New Zealand loses its 'whitelist' status, it will become considerably more difficult for multinational corporations to carry on business in New Zealand particularly given that, in addition to fines and compensation claims, the Schrems II judgment threatens service interruption in the event data transfers are suspended, with serious implications for business continuity.
He says “the threat of suspension of data transfers is potentially more damaging and costly than the threat of fines and compensation claims. The focus on transfers and the significant work required to achieve compliance inevitably means that organisations have less time, money and resource to focus on other privacy risks.”
N.B. Not all Member States of the European Economic Area make details of breach notification statistics publicly available. Several have only provided incomplete statistics or statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations. Similarly not all GDPR fines are publicly reported and some data only covered part of the period covered by this report.
About DLA Piper
DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world. In certain jurisdictions, this information may be considered attorney advertising. dlapiper.com