It’s been a little over two months since the European Union's data privacy law went into effect, and it is already having an impact on how users are interacting with online companies.
Most striking is the increase in data breaches being reported, as companies scramble to meet the mandatory reporting requirements in the data breach law. The General Data Protection Regulation (GDPR), which went into effect on May 25, specifies that breaches need to be reported “without undue delay,” and, where possible, no later than 72 hours after the organization’s data controller becomes aware of the them. Organizations that fail to comply with reporting requirements face fines of up to 2 percent of annual global revenue, or $12 million (€10 million), whichever is greater.
The United Kingdom’s Information Commissioner’s Office received 1,750 data breach reports in June, more than double the 700 reports it received in May, the agency said in a recent webinar. In comparison, the ICO received about 400 breach reports in March and April, just before GDPR enforcement went into effect.
The higher number does not necessarily mean there were more data breaches since GDPR went into effect, but rather that organizations are reporting them in greater numbers.
Along the same vein, Ireland’s Data Protection Commission received 1,184 data breach reports since GDPR went into effect, according to The Irish Times. The Data Protection Commission received an average of 230 reports per month in 2017.
According to Politico, the Australian data protection agency received 59 data breach notifications since the GDPR took effect.
"June was the first full month with the GDPR in place, so it is unsurprising to see an increase in the number of personal data breaches reported to the ICO," Anna Flanagan, an attorney specializing in data protection law at UK-based law firm Pinsent Masons, said in a report on out-law.com, a news service run by the firm.
The higher number does not necessarily mean there were more data breaches since GDPR went into effect, but rather that organizations are reporting them in greater numbers. GDPR’s Article 33 mandates data controllers to self-report data breaches GDPR unless the breach is unlikely to result in a risk to individuals’ or data subjects’ rights and freedoms.
One of the reasons for the spike is that organizations are leaping to report everything, just to be on the safe side and avoid fines. Of the more than 1,100 reports the Irish DPC office received, the regulation applied for 953 cases. The ICO also noticed a trend towards over-reporting during its webinar.
"[Controllers] are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don't meet the threshold for notification,” Flanagan said. Under GDPR, the organization’s data controller is supposed to decide whether the breach needs to be reported. Flanagan suggested data controllers maintain internal records listing data breaches that do not meet the notification threshold.
The 72-hour deadline may also be encouraging organizations to report incidents that may not be data breaches at all, or with insufficient level of detail because the investigation is still ongoing. GDPR allows the organization to take longer before reporting the breach as long as there is an explanation as to why there was a delay.
More Reports Overall
While GDPR’s stricter reporting rules and hefty fines drove up the number of data breaches being reported, organizations were already beginning to self-report in greater numbers. The ICO said in its 2017/2018 Annual Report that there was a substantial 29 percent increase–3,156 reports–in the number of self-reported data breaches over the past year. The report covers the year ending March 2018, so the figures are all from before GDPR went into effect. The health sector accounted for 36 percent of the total reports made over the past year, followed by education, at 11 percent.
With self-reporting now mandatory under GDPR, the number of data breaches being reported is expected to rise further in the 2018/2019 year.
In just over 60 percent of cases, the ICO took “no action” for the organization, according to the Annual Report. While some form of action was required in the remaining 40 percent of cases, the monetary penalty applied only to 0.3 percent of cases. The fines were for failures to comply with the old Data Protection Act 1998 (DPA) and violations of the Privacy and Electronic Communications Regulations (PECR) (DPA). An example is the £500,000 fine against Facebook earlier in July, the maximum possible fine under the old DPA.
The ICO said Facebook’s privacy violations occurred before GDPR went into effect, so was not subject to fines of up to 4 percent of its annual global revenue, or $23 million (€20 million), whichever is greater.
Under GDPR, consumers can also file complaints, such as issues involving disclosure of personal data and access requests. The Annual Report found that people were more aware of their privacy rights, as data protection complaints rose by 14.5 percent. ICO also received 46,000 more calls than the previous year–a 24.1 percent increase. The number of live chats rose by 61.5 percent.
Ireland’s Data Protection Commission also recorded 743 complaints, with the regulation applying in 267 cases, per the Irish Times report. France's data protection authority, Commission Nationale de l’information et des Liberties (CNIL), saw the volume of complaints increase by more than 50 percent, according to Politico. Australia has received 128 complaints in the first month, which was equivalent to the number of complaints received in an eight-month period before the GDPR.
"This is an important time for privacy rights, with a new legal framework and increased public interest," said information commissioner Elizabeth Denham.