More than 160,000 data breach notifications have been filed with European privacy regulators under the GDPR, according to a new analysis from law firm DLA Piper, with the number of breached organizations notifying authorities rising 22% over the previous reporting period.
The figures, reported by Infosecurity Magazine and drawn from DLA Piper’s latest GDPR breach survey, reflect notifications made to regulators rather than a simple count of major hacks. Under Article 33 of the GDPR, organizations must report personal data breaches to supervisory authorities within 72 hours when the incident is likely to pose a risk to individuals’ rights and freedoms.
That means the total includes a wide range of incidents, from ransomware and phishing to accidental disclosures, lost devices, misdirected emails and third-party compromise. It also means the headline number should be read as a measure of reporting activity and compliance, not just attacker success. A single company may file more than one notification, and reporting practices can vary by country.
Even so, the data points to a sustained volume of security and privacy failures across Europe. The GDPR has made those incidents more visible by creating a common legal duty to disclose them, giving regulators and the public a clearer view of how often organizations lose control of personal data.
For businesses, the trend is a reminder that breach response now carries both technical and legal pressure. Companies need to detect incidents quickly, assess whether personal data was affected, preserve evidence and decide whether regulator and customer notifications are required. Common causes behind reportable breaches often include credential theft, email compromise and insecure remote access, including poorly protected VPN connections.
The increase in notifications may reflect several forces at once: more cyber incidents, better internal detection, and greater willingness to report under a regulatory regime that has been in force since 2018. Either way, the latest DLA Piper figures show that data breach reporting has become a routine part of doing business in Europe—and that privacy regulators continue to receive breach disclosures at scale.
