On the 25th May 2019, it will be a year since the introduction of the General Data Protection Regulation (GDPR) in the European Union (EU). So, what has been the impact of GDPR over the past 12 months?
Well, arguably, there are two main elements to GDRP – the first is to place a statuary requirement on organisations to notify their governing Data Protection Authority (DPA) of a data breach within 72 hours of detection. And the second element is an obligation to correctly handle individuals’ personal digital information.
GDPR certainly appears to have had an impact on breach notifications. In the first 9 months after GDPR was introduced, DPAs across the EU collectively reported over 65,000 breach notifications. While it’s hard to get EU-wide statistics from before GDPR, data points from individual DPAs would suggest this represents a large increase. For example, in June 2018, the month after GDRP was introduced, the UK Information Commissioner’s Office reported 1,700 breach notifications, up from 300 – 400 per month previously.
So far, the impact of GDPR on the mishandling of data has been less noticeable. Overall, EU DPAs imposed €55m of fines for data mishandling in the first 9 months after GDPR’s introduction, but that includes a fine of €50m levied on Google by the French Data Processing Authority. In general, DPAs seem to have used the first year of GDPR as a transition year, largely providing recommendations and guidance for organisations in breach, rather than imposing fines. Even Google’s €50m fine represents only 0.04% of Google’s worldwide annual revenues – a far cry from the maximum 4% that GDPR allows. However, there is evidence that PDAs are beginning to show their teeth. Over recent months, we have seen fines levied by the UK Information Commissioner’s Office against Leave.EU and Go Skippy Insurance, sanctions imposed by the Dutch DPA on their Tax Authority and by the Portuguese DPA on a hospital that allowed open staff access to its patients’ records.
GDPR has also increased people’s awareness of how organisations handle their personal information. Complaints to DPAs totalled 65,000 in the 9 months following the regulation’s introduction, with the most common complaints concern telemarketing, promotional emails and video surveillance.
So how are organisations responding to the new demands of GDPR? Well, their initial focus was to ensure their marketing communications processes were compliant – hence the deluge of emails we all received in the months leading up to the introduction of GDPR, as companies encouraged us to give our consent for continued communications from them.
However, many organisations have not yet done the work to ensure that they can comply with GDPR’s requirements regarding data subject access requests. A survey by Talend in September 2018 concluded that 70% of businesses worldwide could not respond to data access requests (DSARs) within the 1-month time limit allowed. This is certainly backed up by anecdotal evidence from conversations with enterprise customers. Several acknowledged that they have little visibility into their unstructured data – and that if they had a breach, they would not know what was exposed. Others admitted that they took little action regarding data discovery “until the DSARs started coming in faster than they could manage”.
This has been another noticeable impact of GDPR. Individuals are now aware that they have the right to demand access to the personal information that organisations hold on them – and they are exercising that right! Customers tell us that the number of DSAR they are receiving has gone from one every now and again to 20 a month! With each DSAR taking up several hours of time from HR, Legal and IT, the rate of requests could soon become unmanageable for many organisations.
As a result, many organisations are now starting to look for tools to help them both to get control of their unstructured data and to search for personal information more effectively when they need to. Veritas’ recommendation is to take a three-stage approach – Find, Filter and Act. The first stage is to find all the repositories of unstructured data, which will include email servers, SharePoint, file servers and cloud data stores. Next, filter the data, using not only metadata, such as file type, age, owner or last accessed date, but also content classification. Finally, act on the data, based on pre-agreed policies. Actions could include deleting data that hasn’t be accessed in a certain timeframe or archiving data into a secure repository where it can be more effectively managed. This three-step approach – Find, Filter and Act – will enable organisations to gain control of their unstructured data and equip them to respond to DSARs when they arrive.
Meanwhile, GDPR has also had an impact beyond the EU. It has been used as a template for data privacy legislation across many countries. Switzerland, Norway, Iceland, and Liechtenstein have all introduced regulations that are almost identical to GDPR. In India, there is legislation in front of parliament that would impose regulations very similar to GDPR. And both Brazil and the US state of California have also passed regulations covering many of the same aspects of data privacy as GDPR.
So Happy 1st Birthday, GDPR! You may not have solved all the world’s data privacy problems in the past year, but you have certainly helped improve both individuals’ and organisations’ awareness of their rights and obligations. And you have put many organisations on the right track to managing personal information more responsibly.
Finally, if you need help with GDPR compliance, then check out Veritas’ resources.
