- Security TWENTY
- Women in Security
The end of May will mark one year since the EU General Data Protection Regulation (GDPR) came in across the European Union. What are the effects? asks David Higgins, EMEA Technical Director at CyberArk, the cyber product company.
Whilst this anniversary might well go unnoticed in the midst of continued and ever-growing Brexit-related confusion, a recent report authored by DLA Piper has shed fresh light on GDPR. It highlights the high-profile issue of data breaches across the EU, how they were reported in the GDPR era, the fines enforced and the spread of breaches across EU members.
From the time GDPR was introduced to the release of the report, the report highlights that 59,000 incidents were reported to the various regional “Data Commissioners,” such as the Commission Nationale de l’Informatique et des Libertes (CNIL) in France. The numbers were built upon from data reported by EU members (which still includes the UK) and collected by DLA Piper. But, it is important to note that not all countries divulged such information.
What do the numbers reveal?
The first point to make is that these incidents do not imply that 59,000 data breaches took place. GDPR is concerned not only with data breaches, but also with the inappropriate handling and processing of data. Therefore, the reported number of incidents covers data abuse as well as data loss, whether accidental or maliciously derived. This shows how EU countries are required to engage in more than just GDPR data breach notification. A separate source, directly from the EU commission, places the data breach related incidents of 41,500 for both malicious and accidental events.
The effects and legalities of GDPR are still rippling their way through data processing services. As a recent example, lobbyists from several countries launched a petition to their respective regional Data Protection Authorities on how EU personal data is used in the fast growing space of Real-Time Bidding, which is the process that determines which adverts are shown to you online. Real-Time Bidding is driven by the data which advertising companies have about you, since this is what allows them to make the most informed decision as to which advertisement you would find most appealing. Deciding which advert to show you takes a split second, therefore, there is clearly no possible way for the user to ‘opt-in’ to the processing of their data. This is separate from the €50m fine placed on Google by the French CNIL earlier this year.
One very interesting element of the DLA Piper report is the breakdown by country of the number of incidents filed. The Netherlands tops the list with around 15,400 reported incidents. Strangely, despite having a population nearly three times that of the Netherlands and a similar difference of scale in GDP, France only reported 1,300 incidents. This, perhaps, highlights an inconsistency between EU members as to what needs to be reported. For example, reported incidents have included simple notifications that an email was accidentally sent to the wrong recipient. It would appear, although not confirmed, that the Dutch are playing it safe and reporting any infringement, whereas the French have a narrower interpretation of what a data incident is.
The GDPR effects
Potentially, the reporting of even mild infringements could explain why only 91 fines have resulted from the 59,000 reported incidents. However, the report from DLA Piper does concede that there is likely to be a backlog within the EU commission to process GDPR breach notifications and other types of incidents, which could mean that more fines will be on the horizon. The backlog may also be a sign that the EU underestimated the initial volume of incident reports it would receive.
The main thing that is evident from this report is that the effect of the GDPR is still not fully understood. This is reflected by the huge variance in reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.
So, what do organisations need to keep in mind? One thing remains clear: organisations who are the controller or processor of EU related data need to protect this information and its usage with a specific mind-set. The data is not theirs; it belongs to the individuals to whom it is linked. Organisations must treat the data as something they are borrowing or looking after, not something that they own. It needs to be locked away with the right protection to ensure only those who should use it or see it can do so. It may seem like an obvious shift of perception, but it is vital in terms of the importance we place upon protecting EU-related data.