GDPR Two Years On – Has it Gone How we Hoped?

Two years ago, GDPR came into force. To date, nearly €500m in fines have been levied across the EU and UK across almost 240 separate enforcements. The UK alone accounts for a significant proportion (€315m) of those, including the largest government-issued fines in data compliance history.

As a cybersecurity practitioner, I very much welcomed the introduction of tougher measures on organizations which have materially failed to secure citizens data. Now we are two years on, did the introduction of this regulation go as planned?

July 2019 was a watershed moment

As expected, regulators largely held off within the first year. This ‘grace period’ did come to a crashing halt in the space of just a few days in July 2019, the UK’s Information Commissioner’s Office (ICO) stated its intention to fine Marriott International £99m and British Airways £183m. Staggering amounts when compared to the maximum £500,000 permitted under the previous version of the Data Protection Act, a fine which was levied on Facebook after the Cambridge Analytica scandal that took place in the March of 2018 prior to GDPR’s introduction.

In the course of a few days it became abundantly clear, to everyone, that the UK’s Information Commissioners Office was not merely paying lip-service and in one hit outpaced the higher number of smaller fines issued in rest of the European Union. The wait-and-see approach to compliance taken by some organizations came to an abrupt end.

GDPR has acted as a catalyst for regulation globally

GDPR has also inspired a large range of other legislation globally, be it the progressive Privacy Data Protection Act (PDPA) in Singapore, or the Privacy Principles adopted by the Australian government, or laws created by Brazil, Japan, South Korea or Thailand. Even in the USA, which has a patchwork of state legislation for privacy, the California Consumer Privacy Act (CCPA) which goes into full force on July 1st, 2020 brings in some GDPR-like controls into play.

Just 0.38% of incidents have resulted in a fine

Whilst big fines make great headlines and help organizations pay attention to the importance of data protection, how does this compare to the real level of data loss? The International Association of Privacy Professionals (IAPP) reported that in the first year over 64,000 notifications were made to privacy regulators, with only 240 resulting in a fine. It appears that fines are less frequent than we might suppose. Add to this that the frequency of breaches appears to be on the increase.

Many incidents are entirely preventable

One of the most thorough analysis of breaches is Verizon’s 2020 annual Data Breach Investigations Report (DBIR) which this year analyzed 3410 breaches compared to just over 2000 from the previous year. A higher proportion of the security incidents are being analyzed as confirmed breaches.

This year’s report also highlights a 5.4% increase in misconfiguration playing a role in data loss. Bear in mind that at any point in time there are billions of exposed documents on the web that are there accidentally, often through misconfigured cloud services – all of these incidents could incur the wrath of regulators, yet all are within the gift of the company involved to manage.

Has the regulation had the desired effect on the number of breaches or has the introduction of this regulation created an increased awareness of breaches that previously went un-reported? Few studies exist to tell this for certain, but likely, it is a combination of both. What we do know is that over 500,000 organizations have appointed Data Privacy Officers (DPO), a post responsible in law for data protection for any organization processing significant quantities.

This must have some positive impact on how organizations handle personal data as it is part of a DPOs function to determine whether the resources allocated to them are adequate, and raise a red flag to the highest management levels if this is not the case.

Looking ahead

So, what can expect to see looking ahead? Clearly, we should not discount the ongoing impact of the current Coronavirus pandemic. Indeed, the ICO already stated that it will suspend data audit work to focus instead on the most serious challenges to the public. Breaches continue to happen and make the headlines – we will watch with interest to see how other airlines suffering data loss are treated.

The public and privacy professionals are very alert to the implications of improper processing of personal data in contact tracing applications. With public health and the economy at risk, which priority will win will remain to be seen. The Singapore Personal Data Protection Commission provided ‘emergency’ exceptions in its privacy laws allowing data to be processed without consent, though it does also remind healthcare organizations to treat that data with appropriate care.

With the current pandemic putting so much pressure on the economy and businesses, will a regulator wish to be seen to heap further misery on a business and sector already struggling under the current conditions? We may end up seeing a situation in more serious cases that greater flexibility is built in payment terms for fines.

Prevention is the best defense

Of course, the best thing that all companies can do is to adopt best practice and stay out of the line of fire from the regulators in the first place. As has always been the case, organizations that understand their digital footprint and proactively think about their controls as they put in place digital transformation programs and proactively manage their exposure will succeed.

What’s Hot on Infosecurity Magazine?