Book Demo

The BPM Index

breach per . month research

OK, we admit it, this is one for the GDPR-geeks.

How do you compare personal data breach notifications across the EEA?  The bare statistic is the first step, but doesn’t tell you much in reality.  For example, in September 2018, France averaged 167 notifications per month and Ireland had 451, roughly 3 times more.

Interesting enough.  But consider that Ireland has 250,000 businesses and France 3.5 million, or that Ireland’s population is under 5 million and France’s over 67 million.  Now it’s interesting.

We ask EEA Data Protection Authorities (or DPAs) how many breach notifications they receive on a monthly basis, and then we create the BPM Pop and BPM Biz.

In September 2018, France averaged 167 notifications per month and Ireland had 451, roughly 3 x France.  But take into account the populations of Ireland (under 5 million) and France (over 67 million) and you get a different perspective: Ireland has 31 x France’s notifications.  That’s the BPM Pop.

But if a country has more businesses, surely there’s more activity, and there are more targets?  Wouldn’t that explain a higher number of notifications?  That’s where the BPM Biz comes in.  However, on this measure, Ireland still has 38 x France’s notifications.

Of course, not all businesses process the same data, or the same amount.  So some businesses will be higher risk targets than others.  And we’re not counting public sector here either.  Hey, no-one’s perfect.  but it’s a good start.  Have a look at the underlying data, we’re updating it all the time, and get engaged in the conversation: #BPMIndex.

Keepabl’s aim in publishing the BPM Index is in fostering a better and more common understanding of the personal data breach obligations in the GDPR.  It’s why we’re sharing it on the Creative Commons licence.  We hope it will help inform other research.

We’ve had great co-operation from European DPAs and, mid-term, we’d love the EDPB to take on the BPM Index, with monthly releases.  It seems the right place for it to live.  We believe we’re blessed with excellent regulators in the privacy industry who promote compliance in a practical and commercial manner.

However, when we noticed interesting patterns in early data on breach notifications, we looked for a way to enable discussion and learning across the EEA.  The BPM Index may be that way.  We hope you find it as interesting as we do and we look forward to the discussions to come.  See the underlying data and join in the conversation: bpm@keepabl.com and #BPMIndex on social media.