The law firm of DLA Piper released the results of a survey it conducted looking at the number of personal data breaches that have been reported since the European Union's General Data Protection Regulation was enacted in May 2018.

There are some figures that jump off of the page—over 59,000 breaches reported and 91 fines issued—but anybody out there believing that the first nine months of the GDPR's tenure will provide significant insight into the mindset of what the European Commission calls a data protection authority (DPA) might be sorely disappointed.

“It is too early for identifying trends in the fining practices of DPAs. We will need at least another two years of enforcement in order to identify trends in enforcement between countries, sectors and type of companies,” said Patrick Van Eecke, a partner and co-chair of DLA Piper's global data protection, privacy and security practice.

The report was compiled by DLA Piper's cybersecurity team and includes data from countries throughout the European Economic Area, with all 28 EU members plus Iceland, Norway and Liechtenstein represented. Almost 60 percent of the more than 59,000 breach reports originated from the United Kingdom, Germany and Netherlands—but even those numbers could be misleading outside of the proper context.

Van Eecke said multinational companies typically only report breaches that impact users from multiple jurisdictions within the country that holds their European headquarters (which is usually the UK, Germany and Netherlands). Preexisting corporate culture and time-tested data breach notification plans may have also better prepared those countries for looping in the authorities early.

“I am for example surprised that countries like Italy and Spain have such low numbers of reported data breaches. I am not convinced that this is due to better information security measures taken by companies in those countries,” Van Eecke said.

One thing that does seem clear is that regulators are dealing with backlog of breaches. There's a sizable discrepancy between the more than 59,000 reports mentioned in the survey and the 91 fines that have been levied.

Some of that boils down to the nature of the incident in question. The general conditions for imposing administrative fines as laid out by the GDPR call for supervisory authorities to consider “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”

In other words, a DPA could decide not impose a fine if it determines that a company had taken appropriate measures to protect personal data. Van Eecke said that in his experience, DPAs are also trained to filter out and prioritize larger breaches.

“They are simply not able to review all notifications and assess the impact of the reported breaches. This may mean that some companies might only receive feedback from the regulator after considerable time,” Van Eecke said.

So what does this mean for companies and attorneys attempting to comply with the GDPR? It sounds they'll be continuing to adjust their business practices on the fly.

After the GDPR was adopted by the European Parliament in 2016, many companies had to undertake compliance efforts that involved making significant changes to their information security procedures and privacy by design policies in time to make the May 2018 deadline.

Van Eecke said DLA Piper has seen companies continue to focus on fine-tuning those procedures over the last night months, specifically with regards to data deletion and data subject access procedures.

“These procedures have been tested out during the past 9 months and are now being further improved,” he added.