top of page

One year with GDPR, what happened?

It’s been a little over one year since the European Union enforced the General Data Protection Regulation, GDPR. A legislation designed to protect the personal data of EU citizens.

The GDPR legislation is designed to protect the personal data of EU citizens and is laying rules and guidelines on how their data is allowed to be collected, stored and processed.

GDPR requires that companies and organizations must disclose to national Data Protection Agencies (DPAs, i.e. the "Data Inspektionen" in Sweden) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed". The report must be made to the local data protection authorities not later than 72 hours after having become aware of it.

We have a significant rise in Data Breach reporting from European Businesses

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time before 25th of May 2018 showed that companies would not be ready.

So far, late spring of 2019, the number of data breaches currently available seems to more than 95,000 complaints from EU citizens since May 2018. And from these complaints nearly 65,000 were data breach notifications.


The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively. The Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita.

A personal data breach is a security breach that leads to the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of personal data stored, processed or transmitted

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland. t will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.


The largest fine to date is the €50 million against Google by France’s Data Protection Authority. The fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The United States is closely observing our infringements in order to better understand the effects, the strengths and weaknesses of the regulation. Similar laws are enforced or planned in different states in US and Canada.

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

Tomas Hultgren


Here we write some short summaries on technologies and businesses that we think are interesting around our area. You are most welcome to comment or suggest changes. Many thanks, ContentMap team.


bottom of page