+49 2266 9015920   info@fox-on.com    Customer Area   

Eight Years of GDPR – What Our Data Breach Statistics Tell Us

With GDPR came in May 2018 the EU-wide obligation to notify certain data breaches to the supervisory authorities – and with that, a new kind of discipline in how organisations handle personal data incidents.

Since then, we have been helping our clients record, assess, and, where necessary, report their data protection incidents. Behind the scenes, we have also been tracking the numbers (anonymously of course ): which types of incidents occur, how often, and how many ultimately required a report to the authorities. After eight years, we have gathered quite a lot of data!

How Many Incidents Do Clients Report?

On average, each client reported approximately two incidents per year to us (though 2024 saw a notable uptick, with that figure rising to 2.86). It’s important to note that not every incident reported to us requires notification to the supervisory authorities. That step is only necessary when an incident poses a risk to the rights and freedoms of the individuals whose data is affected. When we look at the subset of incidents that crossed that threshold, the numbers are considerably lower ( though the same 2024 increase is visible here too).

We consider this encouraging. Where people work, mistakes will inevitably happen. The fact that only a small fraction of incidents result in a reportable data breach suggests that awareness is growing, and that technical and organisational measures are doing their job.

A simple example illustrates this well: suppose an employee accidentally sends an email to the wrong recipient. If the email contains a sensitive attachment – such as a colleague’s sick leave certificate – personal data has been disclosed to an unauthorised person. But if that attachment sits instead in a shared drive with properly restricted access, the missent email causes no unauthorized disclosure. The risk to the individual drops significantly, and what might have been a reportable breach becomes a minor internal incident.

How Many Clients Experience a Reportable Breach?

Another useful lens is to look at the proportion of clients who had at least one incident that required notification to the supervisory authorities in a given year.

Consistently, around one quarter of our clients per year experienced such an incident. But the trend is moving in the right direction: that share has fallen steadily over time, from roughly one in four clients in 2022 to approximately one in five by 2025 (with the exception of 2024, which saw a temporary spike). This supports the view that sustained investment in awareness and preventive measures is paying off.

What Is the Most Common Type of Incident?

Missent emails account for around 50% of all incidents reported to us. Digital unauthorised access comes second, covering cases such as incorrectly assigned user rights.

This pattern holds even when we narrow the focus to incidents that were notified to the supervisory authorities. The absolute numbers are smaller, but missent emails and unauthorised access remain the two leading causes.

The practical implication is clear: if you want to reduce your organisation’s risk exposure, awareness training and targeted technical measures around email handling and access rights are good places to start.

How Do Our Numbers Compare to the EU-Wide Picture?

Our dataset is relatively small, and EU-wide figures are not directly comparable – the supervisory authorities only publish data on reportable breaches, not on all incidents. Even with that caveat in mind, the contrast is still striking.

EU-wide breach notifications grew by approximately 48% between 2022 and 2025. Our clients’ figures tell a different story: after a significant rise in 2024, reported incidents returned to their 2022 baseline by 2025.

We attribute this, above all, to training and awareness. Employees who understand the risks involved in processing personal data (and who know exactly what to do when something goes wrong) are one of the most powerful safeguards a company can have. When incidents are caught and escalated quickly, they can often be contained before any real risk to individuals materialises. In the best cases, they are avoided altogether.