Kroll, a data security company, has released the results of a survey which shows that the number of data breaches reported to the UK’s Information Commissioner has increased by 75% since the introduction of the General Data Protection Regulation (GDPR).
GDPR became EU law in May 2018. Its introduction revolutionised the data security landscape in the EU. One of the most crucial aspects of GDPR is how it has changed how organisations respond to data breaches. Article 33 of GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Article 34 stipulates that the organisation is required to notify individuals that their data was compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.
Kroll ordered the survey to probe GDPR’s effects on the number of data breaches reported to the relevant authorities. The results were clear; the number of data breaches reported in the United Kingdom quadrupled in the first three months since GDPR came into effect. In Ireland, the number of data breach reports doubled during the same period.
According to the report, more than 2,000 of data breaches filed to the ICO in 2018 were attributed to human error. This figure is nearly an order of magnitude higher than the 2017 figure of 292.
The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents), and loss or theft of physical records (438 incidents). Unauthorised individuals (mostly cybercriminals) were responsible for 102 of the cases. The healthcare industry suffered 1,214 of the 2,000 reported breaches.
These figures indicate there has been a significant increase in data breaches in 2018. The report states that the majority of these breaches were reported before the effective date of GDPR. However, the researchers at Kroll suggests the rise can be attributed to increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.
Kroll’s researchers indicate that the penalties issued for preventable data breaches may increase in the future. Before GDPR, the maximum possible fine was £500,000 in the UK. Now, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the higher. The magnitude of this fine, in addition to the cost of mitigating the effects of the breach and repairing reputational damage, is likely to be a strong incentive for companies to comply with GDPR.
In addition to radically changing how businesses handle the private data of individuals, it also granted those individuals new rights and freedoms. For example, EU citizens are now allowed to file complaints about organisations to a data protection authority if they feel the organisation has misused or mishandled their data.
The Kroll report showed that privacy and data security complaints to ICO have also increased post-GDPR. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Before GDPR was introduced in May, ICO had received 2,310 complaints. This figure increased to 3,098 complaints made in June, and a further 4,214 complaints in July.
This trend can be seen across Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018, in comparison with the same period in 2017. The Irish authorities have seen a 65% increase in data protection complaints since GDPR came into effect.
