Data Breach Reports and Complaints Have Increased Significantly Post-GDPR
The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies.
One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery.
Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe.
Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled.
A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that could be attributed to human error, compared to just 292 the previous year.
The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). There were 102 cases of unauthorized accessing of personal information, most commonly due to cyberattacks. The most commonly breached industry was healthcare, accounting for 1,214 of the 2,000 reported incidents.
These figures indicate there has been a major increase in data breaches, since the majority of these breaches were reported prior to the effective date of GDPR, although Kroll suggests the rise is, to a large extent, a result of increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.
Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches, as prior to the implementation of GDPR, the maximum possible fine was £500,000 in the UK. Now that GDPR is in force, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. The risk of a substantial fine on top of the cost of dealing with a breach and repairing reputational damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.
Privacy and data security complaints have similarly increased. ICO figures show data protection complaints from consumers have substantially increased since GDPR came into effect. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.
There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the previous year and in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.