It’s now over a year since GDPR came into effect, and although the impact of the regulation is starting to be felt, there’s still a long way to go before the true security picture in Europe becomes clear.
GDPR requires that organisations must disclose to national data protection agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.
Only part of the picture
One of the big issues though is the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, making collecting and analysing data on GDPR compliance somewhat challenging. Several European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches. Through that, analysis has revealed that EU data protection regulators have received a grand total of 41,502 data breach notifications since GDPR came into full force.
According to the law firm DLA Piper, the UK has had one of the largest reported number of data breaches in the EU over the past year, coming behind only the Netherlands and Germany with approximately 15,400, 12,600 and 10,600 breaches notified respectively, according to the report.
The Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. The UK, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita.
Under GDPR, non-EU businesses that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism. With numerous U.S. high-profile technology leaders like Facebook and Google choosing to have theirs in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out. What is clear is GDPR is having an impact on raising awareness among the general public as well as organisations about the security threats out there and their rights and obligations under EU data protection law.
It’s important to remain cautious with current data because this is a transitional year and most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or longer). It means a lot of cases currently are under investigation are incidents that happened under older data protection laws.
Facing the consequences
For those that have been found to fall short of the GDPR’s compliance standards, they could see fines of up to €10 million or two per cent of total worldwide annual turnover of the previous financial year, whichever is highest.
Germany is the leading country currently in the number of fines being administered with German organisations receiving 64 of the 91 reported fines so far. This includes the two largest fines to date, an organisation that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). Not all the fines imposed relate to personal data breaches though, according to the DLA Piper report.
One of the largest fines to date is €50 million on Google by France’s Data Protection Authority, although the fine did not relate to a data breach, but to the processing of personal data from the company without authorisation from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.
The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how companies should store personal data and how they respond in the event of a data breach. Additionally, it was designed to emphasise the importance of creating trust that allows the digital economy to grow inside the European community.
Now its second year, it’s vital to remember the regulation is still young, with both regulators and companies figuring out its impact and importance. As mentioned, data protection authorities across the EU will soon be publishing annual reports, which will give a wider and better picture of the level of compliance.
In the meantime, transparency is a necessity that will help the EU further increase awareness of GDPR. As this doesn’t just affect companies in the EU, but also those internationally that host EU citizen data, the rest of the world will be watching closely to try and better understand the strengths and weaknesses of the regulation. So, while there was much trepidation towards the regulation as it came into force, its second year should be the headline maker. For those companies that do fall into its grasp, they could soon be the ones making the headlines and dealing with the consequences as a result.
Jason Hart, cybersecurity expert, Thales