report on eu data protection authorities

Report on EU Data Protection AuthoritiesPart 2: Reported Personal Data BreachesDeloitte Privacy Services – Privacy Response

Report on EU Data Protection Authorities

IntroductionOn 25 May 2019 the General Data Protection Regulation (“GDPR”) celebrated its first anniversary and once more all eyes are turned towards the national Data Protection Authorities (“DPAs”).

The DPAs are facing busy times. Whilst their primary task is to enforce the application of the GDPR and ensure compliance, the GDPR entrusts the DPAs with a number of additional tasks. They are responsible for awareness, guidance, handling complaints and conducting investigations – to name just a few of their tasks.

In some circumstances, the GDPR also requires organizations to actively work with their DPA(s). Organizations must, for example, cooperate in investigations, consult their relevant DPA for certain high-risk Data Protection Impact Assessments (“DPIAs”), obtain DPA approval for Binding Corporate Rules (“BCRs”) and report certain personal data breaches within 72 hours.

It is therefore important for organizations to not only identify which DPAs they may need to engage with in the future, but also develop their knowledge on the characteristics of these DPAs. Some organizations may consider establishing a working relationship with their DPA(s), to ensure smooth communication in times of need.

At Deloitte we understand these needs. We have therefore conducted extensive research into certain key characteristics of the DPAs. The research seeks to paint a detailed picture and to provide you with a closer look at factors that may influence a DPA’s way of working. Some key topics include data breach reporting, resources, guidance issued and enforcement actions taken.

The results of our research will be published in the upcoming weeks in sub-reports. The comprehensive final report will also be available for download at the end of this period.

In this edition we present our findings on personal data breaches that were reported to the DPAs.

2

Report on EU Data Protection Authorities | Part 2: Reported Personal Data Breaches

Reported Personal Data Breaches

3


Reported Personal Data Breaches*

There is an increase of reported personal data breachesThe GDPR has introduced an obligation for all organizations to report certain types of personal data breaches to the relevant DPA. These data breaches have to be reported to the DPA without any undue delay, and where feasible within 72 hours after having become aware of the breach. This obligation already existed in some countries based on previous legislation, but for others this obligation is new.

Currently, reporting data breaches is becoming more important. For example, the Dutch DPA stated in its last annual report, that it will focus on the reporting of data breaches in the next year of law enforcement.

In our previous report ‘Reporting a Personal Data Breach’ we looked into the different reporting requirements across the EU member states. Our research showed that although the GDPR seeks to harmonize data protection legislation across the EU, the practical means of reporting have not been fully harmonized and differ significantly between countries.

This report presents an overview of the data breaches reported with the DPAs between 2016-2018. In addition, this report will give insights in the differences regarding the number of reported data breaches between the EU member states.

Our research shows that generally there has been an increase in reported personal data breaches since the GDPR became applicable in 2018. However, the number of reported personal data breaches proves difficult to compare, as the local DPAs use different timelines for counting the breaches. Additionally, different definitions of a personal data breach were used pre-GDPR.

All sources of the information can be found in the Appendix.

* The research has some limitations in that it only includes data that has been published by the DPAs themselves. Additionally, some DPAs only publish information in their own language, which resulted in language barriers in some cases. Due to the significant differences between EU member states regarding the practical means of reporting, this research may be subject to errors.

4


Reported Personal Data BreachesKey findings

5


Key findings on reported personal data breaches

The sharp increase in reported personal data breaches may draw the attention of the DPAs towards data breaches. Is your organization ready for that?In many countries the number of reported data breaches has significantly increased in the past years. Our findings show, for example, that Luxembourg saw an increase from 3 reported data breaches in 2017 to 172 in 2018. This sharp increase could be attributed to the fact that pre-GDPR, the obligation to notify the DPA of a personal data breach only applied to companies providing publicly available electronic communications services (such as mobile telephone companies). The GDPR extended this personal data breach reporting obligation to all other organizations that process personal data.

Belgium also saw an increase between 2017 and 2018, from 25 reported data breaches in 2017 to 445 in 2018. Similar to Luxembourg, the explanation for this increase in reported personal data breaches may be that the reporting obligation in Belgium was

extended based on the GDPR. Before the GDPR came into effect, only telecom companies were obliged to report data breaches.

The Netherlands has the highest number of reported personal data breaches of the countries included in this research, with a total of 20.881 in 2018. The Netherlands also saw an increase in the number of reported data breaches, but the percentual increase is a lot less compared to the increase Luxembourg and Belgium experienced. The reason for this might be that a personal data breach notification requirement already existed in the Netherlands as of 1 January 2016. Between 2016 and 2017, the Netherlands saw a 75.81% increase and between 2017 and 2018 this was a 108,62% increase.

Between 2016 and 2017, Ireland saw a 25,67% increase and this jumped to a 76,64% increase between 2017 and 2018.

6


Key findings on reported personal data breaches (contd.)

The increase in reported data breaches may result in the DPAs focusing on personal data breaches, or more specifically on the security of personal data processed by organizations. Therefore, organizations should prepare themselves for possible action of DPAs with respect to the security of personal data and the reporting of personal data breaches.

That being said, the available information from the DPAs on reported personal data breaches is very difficult to adequately compare. This follows from the different timelines used by the DPAs for counting data breaches. Some start counting in January, some in March, and others only started counting on 25 May 2018. Furthermore, some countries defined personal data breaches differently pre-GDPR, which makes it difficult to assess how many personal data breaches (under the definitions provided by the GDPR) were reported between 2016 and 2018.

The next pages include charts focusing on certain interesting developments regarding the reported personal data breaches in a few countries between 2016 and 2018. We have chosen to highlight these specific countries because of the ample availability of their data or because the increase in reported data breaches was significant in those countries.

7


Total number of reported personal data breaches in 2018

Based on reports from local Data Protection Authorities

0

5.000

445

10.000

15.000

20.000

25.000

United

Kingdom

Sweden

Spain

Netherlands

Malta

Luxembourg

Lithuania

Latvia

Italy

Ireland

France

Finland

Estonia

Denmark

Cyprus

Belgium

32

2.780

64

2.700

1.170

4.937

65046 100 172 108 547

22.0881

2.2973.156

Please be informed that some countries have not been included in the overview, as there was no (clear) information available regarding reported personal data breaches in those countries.

As previously mentioned, some countries use different timelines when accumulating statistics about reported personal data breaches. The DPAs from Cyprus, Denmark, Finland, Latvia, and Luxembourg counted from 25 May 2018 – 31 December 2018.

In Italy, the DPA counted reported personal data breaches from 1 March 2018 – 31 December 2018 and in Sweden from 25 May 2018 – 28 January 2019.

The DPA in the United Kingdom counts the reported personal data breaches from 31 March – 31 March of each year.

The other countries count the reported breaches per calendar year.

8


The Netherlands

Reported personal data breaches in the years 2016-2018

+ 75,81%

0

5.000

10.000

20.000

25.000

5.693

20.881

10.009

15.000

2017 20182016

+ 108,62%

9


Belgium


0

100

200

300

400

500

22 25

445

2017 20182016

+ 13,64% + 1.680%

10


Ireland


0

1.000

2.000

3.000

4.000

5.000

6.000

2.795

2.224

4.937

2017 20182016

+ 25,67% + 76,63%

11


United Kingdom

Reported personal data breaches in the years 2016-2018*

*the UK counts its personal data breaches from 31 March – 31 March of each year.

0

500

1.000

1.500

2.000

2.500

3.000

3.500

2.4472.565

3.156

2017 20182016

- 4,60% + 28.97%

12


Luxembourg


*the data from 2018 only includes reported data breaches from 25 May 2018 – 31 December 2018.

0

25

50

75

100

125

150

175

200

31

172

2017 20182016

+ 200% + 5.633,33%

13


More information?

14


More information?

Contact Deloitte’s Privacy Response ServicesPreparation is key. Knowing the characteristics and the focus of your DPA(s) is an important component of preparing for a personal data breach.

At Deloitte’s Privacy Response Services, we aim to enable you to prepare for privacy emergencies. We support in understanding the impact and practical implications of personal data breaches before they actually occur, as well as assisting in the response where necessary.

For more information on Deloitte’s Privacy Response Services and other privacy-related services, please contact:

Annika SponseleePartnerM: +31 (0) 6 10 99 93 02E: [email protected]

Shay DanonManagerM: +31 (0) 6 13 72 10 52E: [email protected]

15


SourcesAppendix

16


Appendix 1/3

Sources of data

Country Year Number of data breaches

Comments Source

Belgium 2016 22 Annual report DPA 2016

Belgium 2017 25 Annual report DPA 2017

Bulgaria 2018 445 Annual report DPA 2018

Cyprus 2018 32 Counted from 25 May - 31 December 2018 Annual report DPA 2018

Demnark 2018 2.780 Counted from 25 May - 31 2018

Estonia 2018 64Report DPA: Avaliku teabe seaduse täitmisest ja isikuandmete kaitse tagamisest aastal 2018

Finland 2018 2.700Counted from 25 May - 31 December 2018 Press release DPA: Tietosuojavaltuutetun

toimistolle on ilmoitettu jo 2700 henkilötietojen tietoturvaloukkausta

France 2018 1.170 Annual report DPA 2018

Ireland 2016 2.224 Annual report DPA 2016



17


Appendix 2/3

Sources of data


Comments Source

Italy 2018 650 Counted from 1 March 2018 – 31 December 2018 Annual report DPA 2018

Latvia 2018 46 Counted from 25 May 2018 - 31 December 2018 Annual report DPA 2018

Lithuania 2018 100Press release DPA: 2018 m. asmens duomenų apsaugos priežiūros Lietuvoje apžvalga

Luxembourg 2016 1 Violation of Electronic Communications Annual report DPA 2016

Luxembourg 2017 3 Violation of Electronic Communications Annual report DPA 2017

Luxembourg 2018 172Counted from 25 May 2018 - 31 December 2018

Statistics published by DPA: Statistiques sur les violations de données à caractère personnel notifiées entre le 25 mai 2018 et le 31 décembre 2018

Malta 2018 108Overview provided by DPA of reported data breaches (available on website DPA)

Netherlands 2016 5.693 Annual report DPA 2016



18


Appendix 3/3

Sources of data


Comments Source

Spain 2018 547Report DPA: Notificaciones de Brechas de Seguridad Marzo 2019

Sweden 2018 2.297 Counted from 25 May 2018 - 28 January 2019Report DPA: Anmälda personuppgiftsincidenter 2018

United Kingdom 2016 2.565 Annual Report DPA 2016/2017

United Kingdom 2017 2.447 Counted from 31 March - 31 March of each year Annual Report DPA 2017/2018

United Kingdom 2018 3.156 Counted from 31 March - 31 March of each year Annual Report DPA 2017/2018

19


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.nl/about to learn more.

This communication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms and their related entities (collectively, the “Deloitte network”). None of the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2019 Deloitte The Netherlands

Designed by CoRe Creative Services. RITM0264095

report on eu data protection authorities

Documents