The implementation of the General Data Protection Regulation (GDPR) by the European Union (EU) on 25 May 2018 saw a significant increase in the reporting of personal data breaches following the new disclosure obligations, and as Tech Monitor analysis shows, breach notifications have continued to surge.
Is this because companies continue to take their reporting obligations more seriously, or is the number of breaches itself growing?
Warning shots to business to take their obligations seriously have been heard widely and regulators have made use of the new firepower afforded them; three of the best-known penalties involve Google, British Airways and Marriott, which face fines amounting to €50m, €22m and €20.4m, respectively – even if national regulators do seem to be taking notably different approaches to how GDPR fines should be calculated.
GDPR data breach notifications: are small businesses flying under the radar?
Although data breaches have been happening for as long as personal data has been processed by an organisation or business, the legislation regulating these processes in EU territory faced no GDPR-equivalent beforehand.
In the UK, for example, under the Data Protection Act 1998, organisations did not have an express obligation to report data breaches to the Information Commissioner’s Office (ICO), the country’s data regulator.
Indeed, as Andrew Brenton, owner and director of IOLIS Legal Services in Cardiff, Wales, puts it: “A Good Practice Note – a guidance issued by the ICO at that time – cautioned that data subjects should not be notified of any data breach without good reason.”
This changed drastically on 25 May 2018, when organisations based in EU territory or dealing with personal data from EU subjects had a mandatory requirement to report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. The reaction was immediate: during the first eight months of GDPR, 59,000 data breaches were reported across the EU.
“The widespread publicity and fearmongering around the GDPR led initially to a great deal of over-reporting,” adds Brenton, suggesting that businesses in the UK are taking data protection more seriously – if just for the fear of a potential fine.
The penalties imposed by the Information Commissioner can be as high as €20m or 4% of a company’s global revenue, whichever is higher. Also, data subjects affected by the breach have the right to seek compensation for damages. (Many high-profile fines have sharply reduced. Although British Airways was at first going to be issued with a fine of £183m, the final bill from the ICO was “just” £20m.)
However, adds Brenton, the public are far more aware of their rights and the responsibilities of businesses when it comes to handling personal data.
Soon after the implementation of GDPR, ICO research found a third (34%) of people in the UK had high trust and confidence in companies and organisations storing and using their personal data – an increase from the 21% in 2017.
Companies, in turn, are more conscious to look compliant with data protection laws, not just for the potential penalties that they could face, but also for the reputation impact. A study by Centrify and the Ponemon Institute found 65% of people affected by a data breach lost trust in an organisation as a result.
David Clarke, founder of GDPR Technology Group, agrees that companies are taking data protection more seriously despite the figures showing a spike in data breaches: “It might look that data breaches are going up but in reality, businesses are managing much better.”
This is particularly the case of financial institutions, venture capital companies (VCs) and startups. When the latter depend on bigger companies’ funding, one of the requirements asked for is how resilient they are to data breach, so being able to contain data breaches effectively is a must.
Nonetheless, Brenton says that smaller companies have tended to “fly under the radar”.
“Being small and in conjunction with the lack of GDPR penalty activity from the ICO, there is an attitude that they will not get caught,” he says.
“I think that this has led, to a significant degree, to box-ticking instead of proper consideration of data protection. You only have to look at the myriad low cost ‘GDPR in a box’ solutions that are often merely a set of document templates that need filling in. These will not make an organisation compliant.”
Despite this, small and micro companies in the UK had the lower percentage of experiencing cybersecurity breaches or attacks in the last 12 months from the period 2017–20, compared with medium or large companies.
What will happen after Brexit?
During the Brexit transition period, which will end on 31 December 2020, GDPR continues to apply in UK territory. However, there is widespread uncertainty on what will happen from 1 January as any changes are still tied to negotiations in progress.
Whereas GDPR will be brought into UK law as the ‘UK GDPR’, there may be further developments about how we deal with particular issues such as UK-EU data transfers. Although GDPR will be retained in domestic law at the end of the transition period, the UK might want to choose to review the framework at a future date once it’s not bound by EU legislation.
Brenton says that Brexit has caused a lot of turmoil in the UK data protection world. The on-off negotiations and the constant shifting has made it difficult to plan a way forward for data flow from the EU to the UK.
Although the ICO has already advised that the flow of UK citizen’s data to the EU will not be an issue, the EU will probably consider the UK a place that is not safe for personal data of EU citizens unless there’s any deal that guarantees the privacy of personal data of EU subjects.
“As we get closer to the end of the transition arrangement, the work becomes more urgent, so it is a good idea for companies to start planning now. It may come to pass that the UK has an arrangement under a trade deal that allows the free flow of personal data, but I wouldn’t bet on it,” adds Brenton.
“If the UK does not maintain what is an excellent foundation that it will adopt from the EU, it will likely damage the ability to trade with major states around the globe.”
The progress made in data protection since the UK implemented GDPR could be lost if the regulation standards were to fall, making an increase in actual data breaches (not just reports) very likely.
Unless clear guidance is issued by the UK government on how to deal with personal data across countries, businesses and organisations might slip in their standards out of confusion.
For example, although currently not every company falling under GDPR needs to appoint a data protection officer (DPO), some companies that previously did not need one might need to appoint one when the Brexit transition period is over if they want to maintain business with EU companies.
“I think we are going to have to wait and watch this space to see how it really works,” adds Clarke.
The idea of “one-stop-shop” will cease to exist. Whereas now a UK company can approach the ICO to ask about data privacy when dealing with a French or Czech business, from 1 January UK companies will need to ask each country’s data regulator if they are complying with data privacy relating to their subjects.
It will also mean including data privacy notices in the local language and making sure record processing abides by GDPR – even if the UK stops following it.
“It could be a lot of work and it might well become much more complex,” says Clarke.
Featured photo by VanderWolf Images/Shutterstock.
Cristina Lago is associate editor of Tech Monitor.