The first 12 months of the GDPR have seen mixed results, according to European watchdogs.
While the new regulations have been a success in providing a unified framework for data breach notification, this impact has not been matched in imposing fines on companies that mishandle or fail to adequately protect their customers’ personal data.
At a conference in London hosted by the International Association of Privacy Professionals, Stephen Eckersley of the UK Information Commissioner’s Office (ICO) said there had been a “massive increase” in reports of data breaches.
A total of 206,326 cases had been reported across the 31 EU countries in the first nine months of the new regulations, according to a report in February by the European Data Protection Board. Around 65,000 of these were notified to the relevant authority by the data controller and approximately 95,000 were complaints.
Mr Eckersely suggested organisations were reporting breaches on a “just in case” basis. As a result of the surge in notifications, the ICO has established a team dedicated to handling queries from data controllers unsure as to whether they need to make a formal notification.
Eckersley also estimated that there will be around 36,000 breaches reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches.
Since the new regulations took effect, European data protection agencies have issued fines of over €56 million for GDPR breaches. However, €50 million of this was issued to Google by the French data regulator, CNIL, for its “massive and highly intrusive” data security breach.
Mr Eckersely noted that in the UK, fines had been issued to Uber, Facebook and Equifax but that the past year had been mostly focused on legacy investigations.
This message was echoed by European watchdogs, who said the first 12 months of the GDPR “should be considered a transition year” and that they are just “getting started” in issuing fines for GDPR violations.
Mr Eckersely revealed at the conference that the ICO had, in collaboration with counterparts in Netherlands and Norway, established a matrix for agencies to calculate fines, although this would not be publically available.