The Effect of GDPR on Data Breach Reports and Consumer Complaints

Healthcare Data Breaches

With the introduction of the General Data Protection Regulation (GDPR), EU residents now enjoy new rights and freedoms. Citizens are given greater control over the personal data that companies collect, process, and use.

Under the GDPR, EU citizens can submit complaints to the appropriate authority if they believe that a company is misusing or not protecting their personal information. In case of certain data breaches, GDPR requires breach notification within 72 hours after discovery.

Since the GDPR was enforced on May 25, 2018, there has been a notable increase in the number of reported data breaches in Europe. In the first three months following the GDPR enforcement date, data breach reports quadrupled in the United Kingdom and doubled in Ireland.

Kroll conducted a study that showed there were 75% more data breach reports submitted to the Information Commissioner (ICO) in the past year. ICO is the supervisory authority in the United Kingdom. Over 2,000 data breach reports were submitted last year that involved human error, whereas there were only 292 data breaches the previous year.

The most common causes of breaches are listed below:

  • 447 incidents involved sending emails to wrong recipients
  • 441 incidents involved misdirected letters and fax messages that contain personal data
  • 438 incidents involved lost or stolen physical records
  • 102 cases involved unauthorized access of personal data due to a cyberattack

The healthcare industry is the most common sector hit by data breaches with 1,214 incidents out of the 2,000 reported cases. The figures above suggest data breaches have increased although while most of the breaches were reported prior to the date when GDPR was enforced, Kroll believes that the increase is because UK companies have increased transparency due to completing their GDPR compliance programs ahead of the deadline.

Kroll additionally stated that the substantial increase in issued penalties for preventable data breaches also affected the number of reported data breaches. Before the GDPR, the maximum penalty for a data breach was £500,000 in the UK. Following the implementation of the GDPR, penalties could go as high as €20 million – or 4% of global annual turnover, whichever is greater. Because of the risk of a sizeable fine on top of the cost of resolving a breach and repairing damage to reputation, companies are giving more consideration to data protection and are investing more in data security solutions.

There was also an increase in privacy and data security complaints submitted by consumers since the GDPR. In the first three months of enforcing the GDPR, the number of data security complaints doubled. In May, ICO got 2,310 complaints; however, in June the figure jumped to 3,098 complaints and 4,214 complaints in July. In other Europe countries, complaints also significantly increased. In France, there were 37% more complaints from May 25 to July 31, 2018 than in the same period the previous year. In Ireland, data protection complaints increased by 65%.