Hailed as the biggest shake-up to data security legislation in twenty years, the introduction of the General Data Protection Regulation (GDPR) in 2018 signified the start of a new era in the way corporate entities handle sensitive information.
In the months leading up to 25th May 2018 – the date that the legislation came into force – panic gripped unprepared organisations who feared the penalty for non-compliance: fines of up to €10 million or two per cent of total worldwide annual turnover of the previous financial year, whichever is highest. As the clock ticked down towards the date of enforcement, GDPR became the priority for British businesses as they worked to align their practices and policies with the requirements of the new legislation.
One of the key features of the regulation is the need for organisations to disclose to national data protection agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.
Now, more than one year on since May 2018 and new figures from DLA Piper suggest the UK has had one of the largest reported number of data breaches in the EU since this date, coming behind only the Netherlands and Germany with approximately 15,400, 12,600 and 10,600 breaches notified respectively. Unfortunately, a lack of official standards within EU data protection regulators with regard to reporting statistics makes the collection of compliance data a persistent challenge.
Yet, a number of European DPAs have voluntarily confirmed that the implementation of GDPR has in fact led to a sharp rise in reported data breaches. According to the report, EU data protection regulators have received a grand total of 41,502 data breach notifications since the date of enforcement last year.
The report showed that the Netherlands had recorded the largest number of data breach reports per capita, with Ireland and Denmark following closely behind. The figures placed the UK tenth on the list, while countries with the fewest data breach reports were revealed to be Greece, Italy and Romania.
As it is still only in its second year, it’s clear there are still creases to be ironed out with regard to the impact and importance of the regulation and how data should be reported. Soon, data protection authorities across the EU will soon be publishing annual reports, which will give a wider and better picture of the level of compliance.
While headlines pertaining to breaches of the regulation have so far centred around the poor data practices of internet conglomerates such as Google and Facebook, the year ahead will see more stringency applied to enforcement of the GDPR as the world watches closely to try and better understand the strengths and weaknesses of the legislation.