Only a handful of companies were 100% compliant when GDPR (General Data Protection Regulation) went into effect on 25 May 2018. Companies spent whopping sums of money to meet the new GDPR compliance checklist, as non-compliance would mean the end of the business itself.
It’s been a year since GDPR went into full effect and it has had a clear global impact.
According to a report by the new European Data Protection Board (EDPB), privacy authorities received close to 65,000 data breach notifications and regulators in 11 European countries have imposed fines amounting to $63 million.
EDPB is an independent European body based in Brussels and was created as a part of GDPR. The organization’s mandate is to oversee and ensure that the new compliance rules are applied consistently through the European countries. It will also encourage cooperation among the EU’s data protection authorities.
Findings of the EDPB Report
A recent report published by EDPB reviewed the first 9 months of GDPR by studying data provided from all 28 EU member states and Norway, Liechtenstein and Iceland as well since they also comply with GDPR.
It found that the total number of GDPR cases reported by Supervising Authorities (SAs) from 31 European Economic Area Countries (EEA) is 206,326. These cases included
• Complaints (94,622), where Europeans can file complaints to the SA about a company’s data protection practices under Article 77.
• GDPR data breach notifications (64,684), wherein companies that suffer a breach, that might have leaked personal information of Europeans, must be notified to the authorities.
Out of these cases, 1% is subject to lawsuits before national courts while 52% of them have been closed.
Monitoring Supervising Authorities
One of the objectives of this report is to carry out a status check on how SAs are handling GDPR, and whether it is being applied consistently in all states. Between 25 May 2018 and 18 February 2019, there were no dispute resolution requests, which is indicative of cooperation among the SAs as they have been able to come to a consensus in the cases so far.
The feedback on the new system from national regulations was also really positive according to the report. A dedicated expert subgroup has been formed to take care of continuous enhancement of the GDPR system based on feedback collected through an IT helpdesk. The helpdesk was provided by the EDPB Secretariat that is dedicated to extending support the EDPB members.
The Rise in Data Breaches
DLA Piper said that based on their own research that covered 23 of the 28 EU states and Iceland, Lichtenstein, and Norway,
“There have been 59,430 reported data breaches over the same period across Europe. The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively."
Companies have taken measures to comply with GDPR as facing the consequences is far worse. Honan who leads BH consulting, a Dublin-based information security consultancy says that the steady rise of data breach notifications doesn’t necessarily mean breaches are more frequent now. It indicates that more breaches are being revealed on account of the mandatory GDPR data breach notifications. The main thing that’s changed is awareness.