More than 3,200 breaches of data have been reported to the Data Protection Commission in the seven months since the most comprehensive ever overhaul of EU privacy laws was introduced.
The watchdog said of the 3,609 breaches reported to the office since the implementation of the General Data Protection Regulation (GDPR) on May 25, 3,202 related to the new EU law, while 407 will be dealt with under different legislation.
There has been a number of high-profile data breaches in the months since the GDPR was introduced, and the commission this month announced statutory inquiries into Twitter and Facebook’s compliance with the law following receipt of a number of breach notifications.
The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation was made law once it began on May 25, meaning penalties could be imposed from the beginning.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Businesses had to reorganise strategies to handle data following the introduction of the new law, but following difficulties during the bedding in of the new law, a recent report from the Institute of Directors in Ireland suggest it is less of a worry than it was in May.
Just over 1% of directors consider the impact of GDPR compliance to be the single biggest risk factor facing their organisations, according to the institute’s report.
The Data Protection Commission also published guidelines for public representatives relating to the handling of the personal data of their constituents this month, following extensive public consultation.
The watchdog guidelines said the “collection of personal data is specific and the use of personal data is limited to what is required to achieve that purpose”.