A year ago this week, the GDPR (General Data Protection Regulation) took effect, promising to revolutionise information security. To mark the anniversary, we gathered a panel of data protection experts to discuss the effect of the Regulation and the future of data protection.
In the first half of 2018, it was practically impossible to avoid news stories about the GDPR, the majority of which focused on the potential for hefty administrative fines for non-compliance.
However, this early frenzy wasn’t mirrored by regulators. Fines trickled in across Europe, and many people’s interest faded, as they turned their attention to the implications of Brexit. According to some of our experts, like Senior Consultancy Manager Nicky Whiting, many organisations have become complacent about their GDPR compliance requirements.
“Organisations are not fully prepared, and still have a long way to go and a lot of work to do. This can be attributed to a lack of resource, Brexit distractions and a lack of buy-in from senior management,” she said.
“As media attention has waned, a lot of organisations have taken their eye off the ball. Many have concluded that the ICO [Information Commissioner’s Office] won’t be imposing fines, since there’s been little news coverage about enforcement action.”
Data Protection Consultant Clare Bryan agreed, adding: “Until fines start coming through from the ICO, organisations are unlikely to fully appreciate the consequences of noncompliance.
“Compliance is a continuous requirement and although most organisations have made a good start, there is always more to do.”
Are organisations suffering from false confidence?
Another concern about the lack of GDPR fines so far is that organisations might assume that the compliance requirements have been overblown and that they don’t have anything to worry about.
DPO (data protection officer) Consultant Loredana Tassone says: “The full extent of the GDPR’s requirements are often underestimated, and some organisations think it’s easy to ensure compliance without the support of a specialist.
“Organisations are required to ensure that their compliance project is led by somebody with specific competencies, as defined in the GDPR, particularly with regard to the DPO role.”
By contrast, Risk and Compliance Consultant Preston Bukaty said: “I haven’t seen much hubris with regard to the GDPR – everyone seems to be on the same learning path.
“Most organisations I’ve worked with don’t want to use your data in creepy ways. They want to enhance your life, and their product/service leverages certain information to do so.”
That doesn’t necessarily mean that organisations have enhanced individuals’ lives. Things are certainly better than they were a year ago, but many organisations are still figuring out how they can satisfy the needs of individuals while also using their personal data to fulfil their business needs.
How has the GDPR affected data breach reporting?
Under the GDPR’s strengthened data breach notification requirements, organisations must report all personal data breaches to their supervisory authority within 72 hours of becoming aware of them. Data subjects must be notified without undue delay if there is a high risk to their rights and freedoms.
According to the European Data Protection Board, 64,684 data breach notifications were reported in the first nine months of the GDPR’s application. But is that a true reflection of the number of data breaches that occurred?
Preston Bukaty believes so. “Data breaches are hard to hide. There’s so much technical evidence, and most statistics show that data breaches are usually reported by a third party, not the organisation itself,” he said.
“There’s less regulatory risk in admitting a mistake than there is in hiding it and being found out later.”
GRCI Law’s managing executive, Ryan Mackie, goes one step further, stating that “if anything, I believe there’s an element of ‘over-reporting’ because organisations still don’t understand what constitutes a reportable breach under the GDPR”.
However, not everyone thinks this is the case. Incident Management and Data Subject Rights Consultant Helen Pettit said: “There is still confusion about what constitutes a breach, panic about how to deal with it, and a lack of understanding of what’s recordable or reportable.”
Likewise, Senior Consultancy Manager Shaun Beresford believes many organisations “don’t know they’re now obliged to report under Article 33 of the GDPR, partly because they don’t have a proper risk management framework, partly because of the perceived reputational risk to their business, and partly because they’ve seen no significant administrative fines for infringements of the GDPR”.
How can organisations get better at reporting breaches?
Our experts agreed that, to meet the GDPR’s data breach notification requirements, organisations need to improve their staff awareness training and their processes for identifying and reporting breaches.
Some organisations have enrolled staff on training courses, but the evidence suggests that they aren’t covering essential topics or don’t discuss them in a practically beneficial way. This has led to a misunderstanding of what’s expected of staff, which will require adjustments in the way organisations approach compliance.
Which sectors have been the best and worst at GDPR compliance?
Our experts couldn’t agree on which sector had done the least to meet the GDPR’s requirements, with retail, education and the public sector among those named the worst. By contrast, the finance sector was generally considered the most prepared.
This shouldn’t be a surprise. Retail, education and the public sector have been the worst data protection offenders for years, whereas the finance sector is notorious for its adherence to numerous regulations. As such, the GDPR is simply another set of compliance requirements that financial institutions have to meet.
Want more expert opinions on the GDPR?
This blog is an excerpt from our GDPR – The Year So Far report. It includes the thoughts of data protection experts with diverse experience working with the Regulation.