General Data Protection Regulation (GDPR) , Governance , Privacy
Privacy Watchdog Counts 41 Daily Breach Reports Since GDPR Enforcement Began(euroinfosec) • December 10, 2018 Under GDPR, organizations that suffer certain types of breaches must inform the ICO within 72 hours of learning that they have been breached.The U.K.'s privacy watchdog says that six months after enforcement of the EU's General Data Protection Regulation began, it's seen a dramatic increase in the number of data breach reports (see: Europe Catches GDPR Breach Notification Fever).
See Also: Live Webinar | Levers of Human Deception: The Science and Methodology Behind Social Engineering
Under GDPR, organizations that suffer a breach involving Europeans' personal information must file a report with the appropriate regulator within 72 hours of learning of the breach if it included "high-risk circumstances." In the U.K., breached organizations must report the incident to the Information Commissioner's Office
Residents can also file complaints with the ICO if they believe that their personal data has been misused or not properly secured (see: GDPR Effect: Data Protection Complaints Spike).
Since GDPR enforcement began on May 25, the number of complaints and breach reports has skyrocketed, U.K. Information Commissioner Elizabeth Denham said last week in a speech delivered to the 50th Asia Pacific Privacy Authorities Forum in Wellington, New Zealand.
"It's just over six months since the new law came into effect across Europe, bringing with it greater accountability, transparency and consumer control. As anticipated, I am seeing more of everything in the U.K.," she said.
That includes "more complaints from the public - from 9,000 to 19,000 in a comparable six-month period - complaints about subject access, data portability and data security," she said. "All of our frontline services have jumped by at least 100 percent."
Excerpt from the General Data Protection RegulationBreach reports have also increased, with the ICO receiving more than 8,000 such reports since May 25, she said.
GDPR allows Europeans to file class-action lawsuits against breached organizations not just to recover material losses, but also non-material damage compensation, potentially including for any inconvenience and distress they suffered (see: British Airways Faces Class-Action Lawsuit Over Data Breach).
Privacy Awareness Increasing
Denham says GDPR is helping to fuel greater privacy awareness among Europeans and a corresponding increase in accountability for organizations that buy, sell, trade or store Europeans' personal information.
"As people become more aware, they expect - they demand - greater safeguards and control. The ICO's research tells us that only one in three people in the U.K. trust organizations to handle their personal data in line with the law. That's better than it was, but it's still not good enough. Businesses that embrace a commitment to strong privacy protection will be the ones to flourish," she said. "Trust in this space is hard won, but easily lost."
Notification Speed a Litmus Test
Denham says that the 72-hour deadline for an organization to report a breach to the ICO is serving as a litmus test for the efficacy of organizations' information security practices and procedures.
— Laura Gillespie, Pinsent Masons
That's because breached businesses, when alerting the ICO to the fact of a suspected breach, must include specific details about the apparent scope and severity of the breach.
"If, within the 72-hour time limit, a U.K. organization has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place - as required by law," Denham said. "I believe that data breach reporting drives companies to invest in better security and better data governance. For this reason, I believe breach reporting to be one of the most significant upgrades in the new law."
The ICO has made it clear that timely and complete breach notifications are required and that breached organizations that fail to fulfill this obligation may find themselves at the receiving end of fines.
"It is fundamental to GDPR compliance that businesses have suitable systems in place to understand when an incident has occurred, ensure the correct personnel are engaged and assess the risks of what has occurred," attorney Laura Gillespie, who specializes in data protection law at Pinsent Masons, says in a blog post. "They will then be enabled to fully assess whether a notification to the ICO, and potentially also the data subjects, is required."
EU Claims Privacy 'Best in Show'
Denham said that when crafting GDPR, privacy experts attempted to incorporate best practices from around the world.
"Fair information practices and breach notification originated in the U.S.; accountability and 'privacy by default and design' in Canada; codes of practice from the U.K. and New Zealand; and innovation measures from East Asia," she said. "The Europeans took the 'best in breed' to create a 'best in show'."
Other governments are now following suit, putting in place better data protection policies and standards (see: California's New Privacy Law: It's Almost GDPR in the US).
—Elizabeth Denham, U.K. Information Commissioner
"That's not to say a cut and paste of the GDPR is the solution for anyone," Denham said. "It's fit for purpose in Europe; but that doesn't mean it's fit for purpose the world over. Each nation's culture and constitution, legal framework and trading relationships play an important role when it comes to data protection. Those differences must be acknowledged and respected."