The success of the GDPR is seeing the Data Protection Commission receive a 71% spike in reported breaches. It’s prompting fears that GDPR might be too successful.
The success of the General Data Protection Regulation (GDPR) is once again on full display. This follows other huge success stories about how it’s potentially blocking facial recognition software in the private sector and probes being initiated into the online dating world following revelations that some services were selling personal information to third parties without sufficient consent first. This month’s success stories were compounded by how GDPR fines are being rolled out by the hundreds of millions of Euro’s as well as regulators dealing with 160,000 breaches. If anything, with all of this being reported this month, it seems that it’s been a non-stop train of success.
So, what’s the problem? There might just be a bit too much success with the GDPR laws. Many companies are being headquartered in Ireland as part of a method to evade taxes in certain jurisdictions. As such, these companies fall under the GDPR laws. Of course, with a larger population of companies comes the idea that more breaches might fall under the jurisdiction of Irish authorities. In a report published in The Daily Swig, in 2019, the number of breaches the regulators are facing spiked 71% over 2018. In all, more than 6,000 incidences were reported in 2019 or more than 16 cases being reported per day on average. This is prompting fears of a growing backlog:
More than eight in 10 of these incidents related to unauthorized information disclosure, often occurring through basic human errors such as mis-sent emails, lost documents, and administrative oversights.
Many organizations, particularly in the financial sector, suffered repeated breaches of this nature, with the DPC calling for greater staff training, stronger password policies, and multi-factor authentication.
By contrast, there were only 223 reported cybersecurity incidents, with 108 reports of ‘hacking’, 24 of malware, and 161 of phishing, along with 17 ransomware incidents and 13 software development vulnerabilities.
In one ransomware example, a leisure industry organization fell victim to an attack which potentially affected the personal data of up to 500 customers and staff.
“At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas,” said the Commissioner for Data Protection, Helen Dixon.
But, she added: “Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate.”
And one data protection consultant working closely with the DPC told The Daily Swig she believed the organization is lagging behind other nations.
“We are one of the only countries in Europe who has failed to fine anyone under GDPR, yet we have all the big multinationals processing their data through Ireland,” said the consultant, who did not wish to be named.
“Reports of enquiries that were supposed to be published last summer are still outstanding.”
It’s worth pointing out that the backlog issue is centred around Ireland and not necessarily across Europe. Fines are being dolled out against companies, but it just happens that Irish authorities haven’t yet issued a fine up to this point.
Indeed, the large numbers we are seeing does give rise to questions over whether authorities can handle such a huge volume. In February of 2019, we reported on how regulators were dealing with 59,000 breaches. The number is, indeed, eye-popping at the time considering just how new the laws were back then. At the time, a mere 100 fines were handed out. The conclusion at the time as to why so many breaches were being handled, yet so few fines were being handed out is the fact that regulator inboxes were effectively being flooded. So, even then, it became a question of whether or not law enforcement has enough man-power to deal with all of this.
On the one hand, it’s not the greatest thing in the world that we are seeing more stories of huge backlogs. This dos raise the question about whether or not the laws can be enforced. On the other hand, the fact that this is the biggest problem with the law points to the idea that this is a sign that such laws were badly needed. If anything, it points to the idea that lawmakers had no idea just how extreme the problem of personal information randomly floating around in the ether had become. So, in setting aside resources, they probably figured that regulators might be seeing a few hundred breaches, not tens or hundreds of thousands.
Part of the problem, though understandably so, might fall on people who read the news. A headline that reads how several million people were impacted by a breach can easily attract more eyeballs than a data breach that affected a dozen people. So, sometimes those smaller number breaches or leaks might either not make the news or get seen by those who are concerned by personal privacy. Of course, just because it isn’t reported or you didn’t see it in the news doesn’t mean something like this isn’t happening. When reporting of a leak or breach becomes mandatory, regulators will get to see a large portion of the scope of the problem instead of what some people might see in the news.
In defence of the media, a large portion of the media is a business. So, allocating resources to certain stories needs to take into consideration how many people might see it (and see the ads in the process). You really can’t report on absolutely everything even when you have a large team of journalists. That’s an issue of practicality. So, it’s hard to say that the fault would fall on the media in this scenario.
One thing is for sure, this is probably one of those rare moments where an idea gets implemented and it becomes excessively successful. At this point, resourcing and funding is really the centre of attempting to fix the situation. With so much money being potentially corrected in fines, it really is only a matter of time before the problem gets resolved.
Drew Wilson on Twitter: @icecube85 and Facebook.