The General Data Protection Regulations (GDPR) came into effect in the European Union in May 2018. The regulations served to replace the existing regulations covering data protection, which were woefully out-of-date with modern technology and inadequate to deal with major cybersecurity risks. The creators of GDPR hoped that the regulations would reduce the risk of data theft to a minimum by requiring that a number of safeguards are in place to protect the data at all times. By overhauling and reforming existing practices, it is hoped that GDPR will ensure the protection the integrity of confidential information. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
In addition to introducing new standards in data protection, GDPR has given EU residents with new rights and freedoms with their own data. Before GDPR, ordinary citizens had very few little say in how their data could be used or collected. Now, any company which collects data from people within the EU must be GDPR compliant, regardless of the physical location of their headquarters. It is important to note that EU citizens who have their data collected outside of the EU (for example, while they are holidaying in the US) are not protected by GDPR.
GDPR has introduced new laws about how organisations must respond to data breaches. In order to remain GDPR-compliant, organisations are required to disclose certain data breaches within 72 hours of their discovery. Before GDPR, reporting data breaches was not compulsory for many organisations.
Kroll, a corporate investigations and risk consulting organisation, launched a study to investigate the effect of GDPR’s introduction on the number of reported data breaches in the EU. According to the results, there has been a spike in the number of data breaches reported by companies in Europe. The data was obtained through the freedom of information act, or was publicly available on the Information Commissioner’s website.
The numbers varied from country to country, but in general there was a huge increase in the number of data breaches reported. For example, the number of breaches reported to the UK supervisory authority, the Information Commissioner (ICO), increased by 75% in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past 12 months that could be attributed to human error, compared to just 292 that were attributed to cyberattacks.
The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). Of the deliberate cyber incidents reported, specific circumstances logged include unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33).
The healthcare industry was responsible for reporting the majority of the breaches, accounting for 1,214 of the 2,000 reported incidents. The general business sector filed 362 reports, followed by education and childcare (354) and local government (328).
According to their website, Kroll suggests that the increased number of breach reports may be due to organisations “gearing up for a new era of transparency around data breaches under GDPR”. They state that they expect the number of reports to increase further during the first full year under GDPR.
Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches. Before GDPR, the maximum possible fine was £500,000 in the UK. GDPR allows for much greater fines to be levied against organisations, with the maximum penalty being €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. It is hoped that such a hefty fine will act as a deterrent to organisations who may be a little slack about reforming their business practices. The risk of a substantial fine on top of the cost of dealing with a breach and repairing repetitional damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.
One of the new rights that GDPR has granted to EU citizens is the ability to submit complaints to a data protection authority if they are suspicious that their personal data is being misused by an organisation, or has not been secured with adequate protection.
The Kroll report also investigation the effect of GDPR on the number of privacy and data security complaints made by consumers. The report shows that these numbers have also increased, ICO figures show that GDPR is likely to be a major cause for this increase. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.
There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the same period the previous year. in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.
