Report: More than 1,000 personal data breaches reported in Ireland since GDPR deadline

Reports of breaches involving personal data are way up in Ireland since the General Data Protection Regulation (GDPR) went into force in late May, according to a recent Irish Times article.

The article says that 1,184 reports have been made to the Irish Data Protection Commission (DPC) since the May 25, 2018, deadline for enforcing GDPR. The DPC said that GDPR applied in 953 of those cases.

GDPR is a sweeping set of data privacy rules that govern the handling of personal data from members of the European Union (EU). One of the main tenets of the law requires reporting of data breaches within 72 hours. The penalties for breach of GDPR can be up to €20 million, or 4 percent of a company’s annual revenue, whichever is higher.

It’s likely that the 72-hour reporting deadline — as well as the threat of a massive fine — accounts for the increase in reports.

The DPC has also logged 267 GDPR-related complaints since the May deadline. The DPC says that its top GDPR-related complaints are: processing involving the disclosure of personal data without a legal basis; user requests for information on their data; and unfair processing.

A DPC spokesperson told the Irish Times:

By way of comparison, the Irish DPC received, on average, approximately 230 data breaches and 220 complaints per month last year (2017). As you can see there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25th.

Though there have been some data breaches here in the United States since the GDPR enforcement deadline, none have been called out as specific to GDPR. The reporting process for GDPR is murky in the United States; US companies are expected to report GDPR breaches through state mechanisms that already exist for now.