Many enterprises don’t believe they have a GDPR problem. Most enterprises think they have it under control. However, figures in the recent DLA Piper data breach survey show that many companies were unprepared for it. In fact, the research released this month showed there have been 59,000 data breach notifications reported across the European Economic Area (the 28 Member States of the European Union — currently including the UK — plus Norway, Iceland and Liechtenstein) since GDPR was introduced May 25, 2018. And this looks like it's just the start.
Data Breaches Pile Up
The Netherlands, Germany and the UK topped the table with approximately 15,400, 12,600, and 10,600 reported breaches respectively. The lowest numbers of reported breaches were made in Liechtenstein, Iceland and Cyprus with 15, 25 and 35 respectively.
The Netherlands, with 89.8 reported breaches per 100,000 people topped the list when the number of notifications were weighted against country populations, followed by Ireland and Denmark. Of the 26 EEA countries where breach notification data is available, the UK, Germany and France ranked 10th, 11th and 21st respectively on a reported fine per capita basis. Greece, Italy and Romania reported the fewest number of breaches per capita.
In a statement about the figures, Ross McKean, a partner at DLA Piper specializing in cyber and data protection, pointed out that GDPR is a game-changer in the data and information management industries. He said that the introduction of GDPR introduced the concept of revenue-based fines in Europe and opens organizations up for possible group litigation actions. GDPR is driving personal data breaches out into the open as companies face tough sanctions for non-disclosure.
So far there have only been 91 fines applied, the largest being the $57 million fine imposed on Google by France, which was for Google’s use of personal data for advertising purposes rather than for personal data breaches.
Related Article: Why the Privacy Shield Won't Make You GDPR-Compliant
U.S. Companies Can't Escape GDPR
Lest U.S. companies think they will escape GDPR because they are headquartered in the U.S., Milla believes there will be fines applied to companies in the EU, the US and other jurisdictions. In fact, he argued that this presents a significant risk for US companies, as consent processes, lack of transparency and misuse of data, is only now receiving scrutiny in the US. “It is essential that businesses carefully review vendors and partners for their GDPR compliance position and only do business with companies that are compliant,” he added.
In the wake of the recent fine against Google, US and EU companies should keep in mind that another risk, aside from official regulators, will come from individual legal practitioners seeking to file lawsuits and possible faction lawsuits, Zak Rubinstein, CEO at 1Touch.io concluded.
This will be based on enterprises' inability to deliver on Data Subject Access (DSAR) requests within the allotted time, which is in 45 days. In today’s world of easily accessible technology, the expectation is that mass users of personal data will have the appropriate technologies and processes to track and protect it.
Related Article: GDPR: What You Need to Know About the Right to Erasure
More GDPR Fines On The Way
Chris Olson, CEO of mobile and web security company The Media Trust, said what has happened already is only a taste of what’s on the way. “No doubt, 2019 will be a banner year for GDPR fines. Last year’s total of 60 foreshadows what’s to come: a consumer movement building up steam against growing surveillance of their behavior, governments responding to consumer outrage by regulating data, and large companies like Cisco, Apple and Microsoft joining the clarion call for more such laws,” he said.
The issues organizations are facing here goes beyond the need for data privacy and security. They include the ability of organizations — for- and not-for-profit — to predict and influence consumer behavior in the context of purchasing, voting and in the way they interact with the organizations.
The inordinate amount of data being collected and how it’s used are worrisome for Main Street and Wall Street. In the digital world, data is not only money, it enables influence, and, when breached, can exact enormous damage. The internet has made it difficult for consumers, fed a steady diet of information that aligns with their online behavior, to tell the difference between real and fake news. It has also provided bad actors with a fast pass to commit data breaches that have wreaked havoc with the stock market. “Organizations have the ethical and moral responsibility to secure data from breaches and refrain from abusing that data, which includes collecting them without the consumer’s consent and using them outside the scope of the purposes the consumer consented to,” he said.
Compliance Is Out in the Open
Any company should be worried if they are not compliant as it is increasingly difficult to hide this from members of the public, according to Jean-Michel Franco, senior product marketing director, data governance, at Talend. Advocacy groups like CNIL — the French data regulators — are empowered by GDPR now more than ever.
Article 80 in GDPR reads: “Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf.” Because of GDPR, NGOs can file a complaint on behalf of thousands of data subjects, receive media coverage and find a place on the top of the list of regulators.
In response to the Google fine, CNIL states when explaining the penalty that, “on 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10,000 people to refer the matter to the CNIL.”
Based on these examples, Franco said, it’s likely that there will be more companies exposed to group actions. He pointed out that in addition to NYOB and Quadrature du Net, a charity dedicated to global privacy called Privacy International also recently took action. The charity targeted not only European companies such as Criteo, but also American-based organizations like Equifax and Oracle. And even more recently, NYOB filed another complaint against streaming services including YouTube, Amazon, Netflix and Apple.
Cint's chief data officer Peter Milla, a veteran data privacy expert, believes that the French data protection authority’s $65 million fine of Google is just the first big one under EU’s GDPR. CNIL stated that the fine punishes Google for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization."
CNIL added that "users are not able to fully understand the extent of the processing operations carried out by Google and that ‘the information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent."
Milla points out that while $65 million represents only a speed bump to Google, fines can reach up to 4 percent of revenue, which would be much more of an issue for Google with its total annual revenues well in excess of $100 billion.
“The point here, is that this action indicates how seriously the EU intends to take its new privacy regulation and that we will see increasing GDPR fines,” he said. “Companies need to realize this risk and carefully analyze what consumer data they collect. They also need to consider how their consent mechanisms work and whether they are complying with the proper regulations when obtaining consent.”