Beyond the €50m General Data protection Regulation (GDPR) fine issued by the French data protection authority CNIL to Google, there have been few headline-making fines.
Despite more than 140,000 queries and complaints and more than 89,000 data breaches reported, fines for businesses in the European Union (EU) have amounted to little more than €56m, leading some commentators to state the GDPR has no real teeth after all.
However, indications are that this will change in the year ahead. Many data privacy professionals believe the enforcement action widely expected in the first year will come in the next 12 months. The reason is simple: these things take time.
At the Privacy Laws & Business Ireland conference in Dublin on 9 May, Helen Dixon, Ireland’s data protection commissioner, said she would circulate draft decisions to her EU colleagues this summer. “There is a procedure to follow, and that takes time,” she said.
At the same event, the head of regions for the UK’s Information Commissioner’s Office (ICO), Ken Macdonald, said a large fine in the UK was just a few weeks away.
Reporting breaches of data privacy rights is just the first step. Each of these complaints has to be investigated, evaluated and the appropriate response considered. Facebook, LinkedIn, Twitter and several other organisations are all currently under investigation for potential GDPR breaches.
This all takes time, slowed even further by the fact that this brave new world of data protection rights is new for everyone. This even includes the data protection authorities in each of the EU member states and the European Data Protection Board (EDPB), which reports that in the past year, a total of 446 cross-border cases were logged in its cross-border case register, and 205 of these cases had led to One-Stop-Shop (OSS) procedures.
Despite the fact that the GDPR had been on the cards for more than four years, with the European Parliament demonstrating strong support for the GDPR in March 2014, and a regulation for just three years, the majority of organisations affected by the regulation are nowhere near full compliance…
Another common GDPR compliance challenge that many organisations are still struggling with is identifying if an incident happened and why it happened, according to Carolyn Crandall, chief deception officer at Attivo Networks.
“They have trouble modifying their strategy to report within 72 hours. Previous directives from the EU made no specific mention of data breaches, and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying,” she said.
“This has required businesses to reassess their technology and processes to understand their ability to detect, audit and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected, but understood in a way that can explain the magnitude of the breach and the corrective actions to contain it.
“Whether it be access to budget, skills shortages, or otherwise, a fair amount of organisations remain hard-pressed to comply with this requirement if faced with a breach today,” she said.