The GDPR fines issued so far have been small, but breach notifications are up. As GDPR continues to ramp up, it seems likely to achieve its goals of privacy.
The original version of this post was published in Forbes.
With the European Union’s landmark General Data Protection Regulation (GDPR) now in place a bit more than eight months, it seems that at least one of its messages has had some major resonance: A cover-up will be worse, and more expensive, than a crime.
Among its multiple mandates, GDPR requires that organizations report a breach within 72 hours of becoming aware of it. Failure to do that can bring more punitive sanctions than a breach itself.
Given that the law is new, it’s impossible to say exactly how many organizations would have “forgotten” to report breaches they are now hastening to report. But it is likely the number would be considerably less than the nearly 60,000 reported last week by international law firm DLA Piper.
As partner Ross McKean put it, “the GDPR is driving personal data breaches out into the open.”
But at least so far, some of the other scare headlines—fines totaling up to 4% of annual global revenue, which could easily reach into the billions for major tech companies—haven’t come close to materializing.
Even the largest so far, €50 million ($57 million) against Google several weeks ago (which the company is appealing), doesn’t reach rounding-error status on the bottom line of a company with annual revenue of more than $110 billion. Also, only 91 fines were levied—less than a quarter of 1% of the reported breaches. Most of those have been in the range of €20,000 or less.
This is not expected to last. “So far the level of fines has been low, certainly when compared to the maximum fines regulators now have the power to impose,” the DLA Piper report said. “However, we anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of Euros as regulators deal with the backlog of GDPR data breach notifications.”
According to the report, “Regulators are stretched and have a large backlog of notified breaches in their inboxes. Inevitably the larger headline grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”
Ian Ashworth, sales engineer at Synopsys, agrees, noting that regulators are probably granting a grace period or a “soft introduction” to the law, even though arguably the grace period could have been viewed as starting more than two years earlier, in April 2016, when the GDPR was first “in play.”
“The last eight months has given businesses an extension to understand GDPR better for themselves, how it actually relates to them and to learn exactly what they need to do to become compliant,” he said.
“But I believe sanctions will become much tougher. Businesses will have been much more aware of their obligations and the severity of consequences. This honeymoon period cannot go on forever.”
Chris Olson, CEO of The Media Trust, said there is another way to look at the number of fines—there has been an average of three per week, “which isn’t bad considering that regulators also need to ramp up their operations.”
“We will see two things converge,” he said. “Companies will prepare to avoid blatant violations and other issues they must report, which will reduce the number of reports and fines; and regulators will have more precedents to lean on as they ramp up, so they will be better equipped to levy fines.”
With the law still in its first year, “I don’t think regulators necessarily know which are big data privacy problems or small yet,” he said. “They are not ramped up yet and are reticent to levy fines that are too big or too small until they know how big the issue will be over time. Setting precedent is risky, and they should not play their full hand yet.”
Also, he thinks organizations should get points for trying. “The Media Trust has advocated for a safe harbor period for companies that can prove they are addressing problems to try to reach compliance,” he said.
The European Commission’s official breach notification numbers are significantly less than those compiled by DLA Piper, at 41,502 between May 25, 2018, and Jan. 28, 2019.
But that number included just 21 of the 28 EU member states and left out Norway, Iceland and Lichtenstein, which are not in the EU but are part of the European Economic Area (EEA) and therefore subject to the same regulation.
DLA Piper counted 59,430 breach notifications, with The Netherlands, Germany and the U.K. topping the list with approximately 15,400, 12,600, and 10,600 respectively. The Netherlands also had the most per capita, with 89.8 per 100,000 people, followed by Ireland and Denmark.
Of course, the stated goal of the GDPR is not just to collect fines but to push organizations that collect the confidential data of their users to protect it and keep it private. And it is too early to tell if that is happening in any significant way.
Igor Baikalov, chief scientist at Securonix, told ITPro that “there are no prior measurements to judge whether GDPR enforcement improved data security and by how much; the only fact the survey establishes is that GDPR works and it gives us a reference point to track its progress.”
Ashworth said he expects the changes to be incremental, and to begin with better detection and response to breaches. The longer-term goal, of course, is prevention, which will require organizations to “appraise their architecture and overall security posture and then build robust solutions to defend their data and brand reputation.”
That, he said, will likely be a heavier lift. “I’m not sure businesses are as clear on how this can be achieved,” he said.
And Olson said while some things are already improving, it will take a major shift in thinking, not to mention the business model of data collectors, for the goals of the GDPR to be reached.
“The ability to be forgotten on a digital asset is improving,” he said, “but what organizations still need to comprehend is the critical nature of identifying all of the digital third parties they work with. Third-party vendors are often less secure and most likely have fewer resources to adhere to data privacy laws. Those are the reasons cybercriminals specifically target these smaller companies.”
Beyond that, “it’s not just personal information that must be protected,” he said. “It’s also the behaviors, geographic location data, purchasing activity, demographics and more that must be made transparent. These types of problems run deep, as the digital ecosystem is ‘paid for’ by these types of data.”
And until companies become more focused on the safety of their customers instead of who is tracking or targeting them, “security won’t improve and there will only be incremental advances in personal data protection,” he said.