Last weekend marked the first anniversary of the introduction of the EU’s General Data Protection Regulation (GDPR), one of the biggest overhauls in data privacy and security regulations ever to impact businesses.
Coming into force on May 25th 2018, the rules set out a more stringent environment for how personally identifiable data should be protected from businesses, as well as what responsibilities organisations have in the event of a data breach.
With much tougher rules in place, and with the potential for huge fines should firms fail to live up to its requirements, GDPR marked a significant change for how businesses think about security. But one year into the new regime, how are firms coping, and what impact is it having on businesses’ thinking?
Reports of breaches go through the roof
According to figures from the Information Commissioner’s Office (ICO), the number of data breaches reported in the last 12 months has increased fourfold since the implementation. In the 12 months ending in April 2018, the regulator received 3,311 breach notifications, but in the 12 months since, this climbed to 14,072.
This is a result of GDPR’s more stringent reporting requirements – which mandate that any breaches affecting personal data be disclosed within 72 hours – but it also helps shine a light on many incidents that would have gone unnoticed in previous years. Therefore, GDPR has almost certainly helped highlight the true scale of the risk businesses face, and could prevent complacency for firms.
Large-scale fines yet to materialise
One of the biggest concerns for many businesses in the run-up to GDPR was the threat for highly damaging fines for breaches – up to €20 million or four per cent of global turnover, whichever is higher. For the world’s largest tech firms, this could equate to penalties in the billions of dollars.
So far though, enforcement has yet to really show its teeth. One reason for this is that, given the nature of investigations and the amount of time they typically take, they simply haven’t been completed yet. As the law does not apply retroactively, the ICO can only issue GDPR-level fines for incidents that occurred after the rules came into effect, which is one reason it only issued a comparatively small penalty of £500,000 on Equifax, for example, despite the huge scale of the credit monitoring firm’s 2017 data breach.
Indeed, the ICO has yet to issue any fines under GDPR rules – though this will surely change sooner rather than later. Elsewhere in the EU, some regulators have begun to take action, with a total of €56 million in penalties being issues so far – although the majority of this figure is accounted for by the €50 million penalty imposed by French regulators on Google for the way it used personal data in advertising.
Public awareness reaches new levels
Elsewhere, the rules have also greatly helped boost public awareness of data protection issues, what data companies collect about them, and what they use it for. Part of this will no doubt have been as a result of the deluge of emails people receive in the build up to the implementation asking for consent to continue using data – which was said by some observers to be an unnecessary overreaction by companies that were unsure of the scope of GDPR rules.
Scandals such as those involving Facebook and Cambridge Analytica have further embedded digital privacy risks in the public consciousness, while research by the International Association of Privacy Professionals found there have been more than 144,000 individual complaints raised under GDPR rules.
Therefore, it’s clear that privacy is not an issue that is likely to fall off people’s radar, so firms will have to continue focusing closely on this area in the coming years. And as the first wave of investigations conclude, it will be interesting to see how aggressively regulators such as the ICO use their enforcement powers.