Are we reaching the point where a harder enforcement line is required?
The recent Data Breach Survey released by DLA Piper earlier this month deserves some comments:
It gives us for the first time some consolidated real-world statistics around the way GDPR has been handled by domestic regulators since May 25th: DLA Piper estimate that approximately 59,000 breaches had been notified to regulators across the EU up to the end of January 2019 and 91 fines imposed.
Without any element of historical comparison, it is hard to draw conclusions around the volumes of data breaches and whether they should be considered particularly high or low, but they confirm beyond anecdotal evidence the fact that the regulation is being exercised.
Leaving aside the situation surrounding Google and the EUR 50M fine imposed by the French CNIL, there are 2 staggering findings in the survey:
First of all, the small number of fines and the fact that the majority were “relatively low in value” suggests that the regulators have not particularly taken a hard line and maybe haven’t changed much in their way of working in spite of the increase in reporting volume.
Let’s repeat one more time that GDPR was nothing new, that most of its content was just the consolidation and harmonisation of existing legislations, and that regulators already had the power to impose fines. What proportion of those 91 fines would have been imposed regardless under pre-existing legislations?
As we stated back in August last year, quite a lot around the impact GDPR can have on business and society at large, will go down the enforcement appetite of the regulators: It does not seem to be very high at the moment, judging by the first 8 months of operations.
It remains a dangerous game for regulators to play: It could damage their credibility and limit their ability to act decisively if and when needed. And not many people in Silicon Valley have lost sleep over the French 50M fine …
The second major finding of the DLA Piper survey is hidden in the incredible difference in the number of breaches per capita between northern and southern Europe, ranging from 89 breaches notified for 100,000 people in The Netherlands to 0.9 in Italy and 0.6 in Greece.
Cultural differences are bound to play a part here (reluctance around self-reporting, trust in regulatory authorities, perception that you can “get away with things” if you hide them well enough) but it remains hard to imagine pure cultural differences accounting for such a dramatic difference:
Could it be related to differences in density between the IT and data ecosystems across northern and southern Europe?
Could it hide a still significant immaturity around data protection matters in some parts?
It is certainly our experience that maturity levels on those topics are not moving fast, in particular with small and medium firms, and that vast amounts of misconceptions remain:
- Around the roles of processors and controllers (GDPR compliance is not the sole responsibility of the processor)
- Around the role of cloud providers (the fact that you have all your data on AWS does not make you GDPR compliant)
- Around some aspects of the GDPR itself (the “right to be forgotten” is not absolute and there are many circumstances where data retention is demanded by other regulations or legislations)
Frankly, all this shouldn’t come as a surprise: GDPR has been treated by many as a legal box-checking exercise, more than at truly transformational opportunity. And quite a few GDPR programmes were manipulated by snake oil vendors and alleged experts to serve their own interests.
For the many firms which have done very little in that space, the inaction of regulators breeds more “wait-and-see” and minimalist approaches.
Over time, unenforced regulations simply get ignored and become useless. It is likely that things won’t change until the regulators make them change, and they will have to go sooner or later through a harder enforcement line.