Six months of the GDPR: What do we know?

October marked six months under the new GDPR regulations. The findings from this initial period suggest that consumers are increasingly holding companies accountable for proper data security and that many companies still have work to do on GDPR compliance.

There has already been a significant increase in the number of complaints from consumers about data protection. Statistics from the UK’s Information Commissioner’s Office (ICO) highlight this trend: From May 25, when the GDPR went into effect and July 3, the ICO received 6,281 complaints about potential data breaches. This represents a 160 percent increase compared to the same time period in 2017.  

The GDPR also has strict regulations about the proper collection and disclosure of personal data—regulations that companies are finding as difficult to comply with as the cybersecurity strictures. A survey conducted in August by Imperva, a cybersecurity firm, showed that almost one-fifth of respondents were not confident their company would pass their first GDPR audit.

Biggest risk is human error, not hackers

The wave of complaints to the ICO may reflect a greater awareness among individuals concerning their rights under the GDPR. Given the effort governments made to educate the public about the GDPR provisions and the constant stories concerning data breaches, it would be reasonable to expect public scrutiny to remain high.

This scrutiny will only increase pressure on companies, many of whom are still struggling to meet GDPR requirements. As part of the GDPR, companies must now report all potential data breaches to authorities within 72 hours. This has given the public an unprecedented look into the present state of data security in different organizations. As with complaints, the number of self-reported breaches has also risen, up 29 percent from last year, according to the ICO.  

Worse, many of these breaches may be of the companies’ own making rather than as a result of malicious attacks. A recent analysis by the cybersecurity and investigation firm Kroll revealed that data breaches are much more likely to be the result of human error than attack. Of the reported incidents that specified a type of breach, 2,124 breaches between October 2017 and September 2018 could be attributed to human error while only 292 were deliberate hacks. This analysis exposed the health sector, in particular, for its poor data security practices. It was responsible for over 1,000 reported data security incidents.

Companies struggle to meet GDPR requirements

The GDPR requires businesses to be able to show individuals the data they have on them upon request, known as a subject access request (SAR). According to the Imperva survey, roughly 90 percent of respondents claimed they could easily respond to a SAR. However, this self-assessment may have been overly optimistic: A recent study by the cloud computing service Talend shows that over 70 percent of companies could not fulfill a SAR in the legal timeframe of 30 days set forth in the GDPR.

Between June 1 and Sept. 3, Talend analyzed the responses to personal data requests that were sent to 103 companies. The companies selected operate in a wide range of industries and are either based in or operate in Europe. Retail services had the worst response rate, with 76 percent of businesses failing to respond with the requested information within the one-month limit.

Businesses based outside of EU-member countries were able to deliver the reports before the deadline 50 percent of the time. While still poor, it was strangely much better than companies based within the EU, who only met the deadline 35 percent of the time. What is more concerning is that supplying a user with a SAR is not new legislation in much of the EU. The GDPR merely shortened the amount of time a company had to reply to a SAR from 40 days to 30 days.

Conclusion

Researchers used SAR response rates and the number of reported data breaches or data breach complaints as a proxy for overall GDPR compliance because these are concrete results that are easier to quantify than other requirements, such as “implementing organizational measures.” Thus far, the results have not been encouraging. To see that over two-thirds of companies cannot respond to a SAR in the legal timeframe or that the majority of potential data breaches are caused by human error shows that organizations are either not taking the GDPR seriously or are struggling to bear the costs of compliance.

Given the breadth and complexity of what the GDPR mandates, it is not surprising to find that companies are still having compliance issues less than one year after its introduction. That being said, the GDPR sets forth firm regulations, not goals to shoot for. It’s still unclear whether non-compliance is the result of ignorance, inability, unwillingness, and so it remains to be seen whether regulators will choose to crack down on non-compliance with strict fines or through programs meant to help organizations find the resources to comply.

However, in some respects, it appears the GDPR is already a success. European Internet users are already exercising their rights under the GDPR and demanding more data security and transparency from companies.