Tomorrow marks one year since the General Data Protection Regulation (GDPR) deadline across Europe, so what’s changed since then?

The latest figures from the Information Commissioner’s Office (ICO) put the total number of data breaches - from 25 May 2018 to 1 May 2019 - at 14,072. For comparison, the ICO received 3,311 data breach reports from 1 April 2017/18.

In terms of complaints, the total received stood at 41,054 for the year since 25 May 2018. Again, for comparison, in all of 2017/18, the ICO received around 21,000 data protection complaints from the public.

Most complaints are about Subject Access Requests, disclosure of data, right to prevent processing, security and data inaccuracy.

Measured fines

Over the last 12 months, the European Commission (EC) has meted out fines totalling over €56 million, across 91 companies.

While this seems like a significant amount, it’s really a fraction of the four per cent of companies’ total global revenue that can be levied, and €50 million of that amount was against one business; Google.

This penalty was handed down because people were "not sufficiently informed" about how Google collected and used their data. Despite Google's European headquarters being in Ireland, it was the French privacy watchdog that came knocking.

This fine is the exception though, as a more constructive and approach is evident in other decisions, with good behavior incentivised by lenient punishments.

One example is the first company to be fined under the GDPR, German social media platform Knuddels, for a data breach compromising email addresses and passwords of 330,000 users. The fine was only €20,000 though, with the EC noting that the company proactively and notified the German data protection authorities and customers, while also implementing the security procedures that recommended to address the breach.

In contrast, Centro Hospitalar Barreiro Montijo, a hospital in Portugal, was fined €400,000 and didn't even technically have a breach. However, the authorities stated that the core concepts of the GDPR - security by design and by default - were ignored as the hospital allowed indiscriminate access to patient records by an excessive number of users. Although the hospital did take steps to correct the issue once identified, it appeared they were essentially ignoring the rules until reprimanded.

Cyber security

A Twitter poll, conducted by Infosecurity Europe this week, attracting 6,421 responses, revealed a lack of confidence in its application, with 68 per cent believing that organisations have not taken the GDPR seriously and are still not compliant.

When asked whether GDPR regulators are being too relaxed when it comes to enforcing standards and following up with firms, almost half (47 per cent) agreed that they were.

Just over a third (38 per cent) said that GDPR compliance has dominated their organisation in the last 12 months, hindering plans for other cyber security projects.

Perry Carpenter, chief strategy officer at cyber security business KnowBe4, admitted that the GDPR has had both positive and negative impacts.

“GDPR has done a lot to promote the application of foundational information security and privacy-related practices, but a potential downside is that many organisations still assume that meeting a compliance requirement is the same as being secure – of course history teaches us that compliance and security are not the same thing.”

DPO growth

Meanwhile, research from the International Association of Privacy Professionals (IAPP) has indicated that an estimated 500,000 organisations have registered data protection officers (DPOs) across Europe under the GDPR.

The rules require public authorities and companies monitoring individuals or processing special categories of their data on a large scale to register a DPO who has “expert knowledge of data protection law and practices. In 2017, an IAPP study estimated the GDPR would create a need for at least 75,000 DPOs worldwide, but the new estimate gives a sense of the rapid growth of the privacy profession and the expanding role of DPOs in Europe and beyond.

Database recovery

One pre-GDPR concern was that giving people the option to opt-out of databases would decimate companies’ ability for targeted marketing, but new research from Yieldify has shown the impact to be less damaging that initially feared.

The customer journey optimisation firm commissioned Censuswide to survey 250 UK marketers who have access to an email database, finding that these have recovered to 93 per cent of their pre-GDPR levels.

At the time, a third of marketers lost over 30 per cent of their databases, but some of the sectors hardest-hit for losses have seen some of the greatest recoveries: the media industry and IT/telecoms industry saw 27 per cent and 29 per cent regrowth respectively.

Larger businesses generally lost greater proportions of data last year - an average of 29 per cent for businesses of 100-500 people - but recovered at strong rate of 24 per cent, while businesses with less than 100 employees have only recovered by 18 per cent.

This high re-growth rate can be attributed to the diversity of tactics they employed in order to re-capture data, including loyalty programmes, content optimisation and in-store incentives, alongside more common strategies of competitions and incentivising newsletter sign-ups.

Tick box exercise

Colin Tankard, managing director of data security company Digital Pathways, commented that while the flurry of email requests in the run up to 25 May 2018 gave the impression of a great data tidy up, much of the work was in reality a tick box exercise.

“As a result of GDPR, the number of Subject Access Requests has dramatically risen - many organisations are struggling to know exactly where their PII data is or, how it is stored and protected - whilst there are systems to deal with this, companies don’t seem to have signed up to them.”

He also suggested that cloud storage may present a problem. “Whilst players such as Microsoft and Google tell us they are GDPR compliant, I wonder how any company, using these services, can say that they are compliant in event of any breach, as there are few tools which allow the analysing of logs, in order to trace how the breach occurred.”

Incident response

Tim Woods, vice president of technology alliances at cloud security company FireMon, said that one of the biggest impacts of the GDPR so far has been on incident response.

“Article 33 of GDPR specifies that organisations must report a breach to the supervisory authority within 72 hours of detection,” he explained.

“In the world of cybersecurity, 72 hours is no time at all, and if this alone isn’t stressful enough, there’s more: It’s not sufficient to simply report the breach; companies must include information detailing the nature of the breach, the approximate number of data subjects and personal data records impacted, the likely consequences of the breach, and measures taken or proposed to address the breach and its negative effects.”

Woods argued that without a pre-defined incident response plan and the right technology, people and processes in place, meeting this 72-hour window is impossible.

“But as unrealistic as 72 hours might seem, failing to meet this deadline can result in heavy fines, loss of consumer trust and a damaged reputation,” he continued, adding: “Rather than risk severe penalties such as these, financial services organisations are reassessing their operational readiness to detect and respond to a breach, so they can make the 72-hour window an achievable goal.”

Share Story: