It’s been almost a year since the EU General Data Protection Regulation (GDPR) was passed into law. And although European Elections and Brexit are continuing to dominate the news agenda, this anniversary is not one to be overlooked. DLA Piper recently put together a report uncovering fresh insight on GDPR. At the heart of this report is the issue of how GDPR-era breaches were reported across the EU over the past year, the types of fines that were implemented, and how breaches were spread amongst EU members.
59,000 incidents were reported to “Data Commissioners” across the EU between the introduction of GDPR to the release of the report, according to DLA Piper. The numbers were built upon from data reported by some, but not all, EU members (which still includes the UK) and collected by DLA Piper.
What’s in the numbers?
The first point to make is that these incidents do not imply that 59,000 data breaches took place. GDPR is concerned not only with data breaches, but also with the inappropriate handling and processing of data. Therefore, the reported number of incidents covers data abuse as well as data loss, whether accidental or maliciously derived. This shows how EU countries are required to engage in more than just GDPR data breach notification. A separate source, directly from the EU commission, places the data breach related incidents of 41,500 for both malicious and accidental events.
The effects and legalities of GDPR are still rippling their way through data processing services. As a recent example, lobbyists from several countries launched a petition to their respective regional Data Protection Authorities on how EU personal data is used in the fast growing space of Real-Time Bidding, which is the process that determines which adverts are shown to you online. Real-Time Bidding is driven by the data which advertising companies have about you, since this is what allows them to make the most informed decision as to which advertisement you would find most appealing. Deciding which advert to show you takes a split second, therefore, there is clearly no possible way for the user to ‘opt-in’ to the processing of their data. This is separate from the €50m fine placed on Google by the French Commission Nationale de l’Informatique et des Libertes (CNIL) earlier this year.
One very interesting element of the DLA Piper report is the breakdown by country of the number of incidents filed. The Netherlands tops the list with around 15,400 reported incidents. Strangely, despite having a population nearly three times that of the Netherlands and a similar difference of scale in GDP, France only reported 1,300 incidents. This, perhaps, highlights an inconsistency between EU members as to what needs to be reported. For example, reported incidents have included simple notifications that an email was accidentally sent to the wrong recipient. It would appear, although not confirmed, that the Dutch are playing it safe and reporting any infringement, whereas the French have a narrower interpretation of what a data incident is.
What consequences have business faced?
Potentially, the reporting of even mild infringements could explain why only 91 fines have resulted from the 59,000 reported incidents. However, the report from DLA Piper does concede that there is likely to be a backlog within the EU commission to process GDPR breach notifications and other types of incidents, which could mean that more fines will be on the horizon. The backlog may also be a sign that the EU underestimated the initial volume of incident reports it would receive.
The main thing that is evident from this report is that the effect of the GDPR is still not fully understood. This is reflected by the huge variance in reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.
Security priorities moving forward
The most important consideration in the GDPR era is that organisations that collect or process EU related data must remember the data does not belong to them. They need to protect it with a clear mindset: they are only borrowing the data, which ultimately belongs to the individuals that have provided it. It needs to be locked away with the right protection to ensure only those who should use it or see it can do so. It may seem like an obvious shift of perception, but it is vital in terms of the importance we place upon protecting EU-related data.