David Higgins, EMEA Technical Director at CyberArk, talks to us about the way companies and organisations should be managing data to avoid hefty fines.
A report earlier this year by global law firm, DLA Piper, has shed fresh light on GDPR and the way high-profile data breaches have been reported across the EU, together with the geographical spread of these breaches across EU members. It’s now been a year since the regulation came into force and while this anniversary might well go unnoticed in the midst of continued Brexit-related chaos, it’s a good time to reflect on the data breach numbers and what they reveal in terms of the information that’s been reported during this period.
GDPR addresses data use AND data loss
In the eight months to February since GDPR’s implementation, 59,000 incidents were reported to regional ‘Data Commissioners’, such as the Commission Nationale de l’Informatique et des Libertes (CNIL) in France. DLA Piper based these breach numbers on data reported by some, but not all, EU members, including the UK. The first point to make is that these reported incidents do not mean that 59,000 data breaches took place. GDPR is not just concerned with data breaches, but also with the inappropriate handling and processing of data. The reported incidents here refer to data abuse as well as data loss, whether accidental or maliciously derived, though a source directly from within the EU commission has found that data breach incidents for both malicious and accidental events come close to 41,500.
The effects and legalities of GDPR are still rippling their way through data processing services, with Real-Time Bidding, the process that determines which adverts are shown to customers online, providing a great example of inappropriate data use. Lobbyists from several countries have launched a petition to their respective regional Data Protection Authorities looking at how EU personal data is used in this fast-growing space. Driven by the data which advertising companies have about consumers, Real-Time Bidding allows the most informed decision to be made regarding which ads will prove most appealing. Deciding which advert to show you takes a split second so there’s no time to ‘opt-in’ to the processing of this data. Separately, Google was fined €50 million by France’s data protection office (CNIL) earlier this year for failing to be transparent about how it uses its data.
It’s all about interpretation
The DLA Piper report also highlights an interesting variation in the way countries report data incidents. The Netherlands tops the list with around 15,400 reported incidents. Whereas France, with a population nearly three times that of the Netherlands and a similar difference of scale in GDP, only reported 1,300. This could highlight an inconsistency between EU members as to what needs to be reported. For example, reported incidents have included simple notification that an email was accidentally sent to the wrong recipient.
Looking at the impact of GDPR to date, the reporting of even mild infringements could explain why only 91 fines have resulted from the 59,000 reported incidents. However, the report from DLA Piper does concede that there’s likely to be a backlog at the EU commission for processing GDPR breach notification and other types of incidents, which could result in more fines. The backlog may also be a sign that the EU underestimated the initial volume of incidents it would receive.
The main thing that’s evident from this report is that the effect of the GDPR is not yet fully understood. This is reflected by the huge variance in reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.
Protecting EU-related data
How ever the effects of GDPR unfold over the next 12 months, one thing remains clear – organisations that control or process EU-related data need to protect this information and its usage with a very specific mindset. The data is not theirs but belongs to individuals to whom it’s linked. Organisations must treat the data as something they are borrowing or looking after, not something they own. Data needs to be locked away with the right protection to ensure only those who should use it or see it can do so. This shift of perception is vital in terms of the importance we place on protecting EU-related data.