By Yotam Gutman at SentinelOne. It’s been two years since the advent of the EU’s groundbreaking GDPR scheme, which was implemented in an attempt to force data collectors to tighten up security over the information they collected on users of their services and to provide more transparency and standardization about exactly what and how they collect data. The GDPR is far from an exercise in toothless bureaucracy, though, with penalties faced by those found to be in breach of the regulations regarded as among the most stringent ever proposed.
With data breaches still a regular occurrence and increasingly among the primary objectives of cyber threat actors, just how successful has the GDPR “stick” of punishing fines been after two years of implementation? Has the “fear of a GDPR fine” changed the landscape of data protection, or merely increased the burden on organizations already struggling to deal with gathering and securing the masses of data needed to drive their businesses forward?
GDPR: Fines in Action
There have been around 340 GDPR fines amounting to a total of around $180 million over the last two years, although two of the largest fines amounting to another $350 million together are still to be confirmed in the coming weeks. That could total up to around half a billion USD before 2020 is done and dusted.
The first fine under GDPR was enacted on a bank in Bulgaria for ignoring the right to be forgotten, almost immediately after GDPR became mandatory in May 2018. The first UK GPDR fine was declared more than a year later, in December 2019, regarding a London firm called Doorstep Dispensaree Ltd, that supplies medicines to thousands of elderly care home residents. The company stored 500,000 medical documents containing sensitive information outside its offices, in unlocked containers. This earned the company a £275,000 fine for breaching GDPR rules. The most interesting facet of this incident is that it did not involve any digital record of any kind, only paper documents.
However, in the 18 months that have passed since this incident, many other organizations and companies have joined the not-so-prestigious club. The most recent country to impose a GDPR fine was Ireland, which in May 2020 fined Tusla, a child and family agency, for disclosing the location of children to unauthorised parties.
While the smallest fine has been a meager €90 received by a hospital in Hungary in November 2019, some of the larger fines have been extremely severe:
British Airways – $229 million proposed fine for a data breach affecting half a million customers.
Marriott Hotels – $123 million proposed fine, or 3% of global annual revenue, for a breach leaking records of 339 million guests.
Google – fined $57 million for lack of transparency on how its Android operating system processed user data.
TIM (Italian telecommunications operator) – fined $27.8 million for unlawful data processing, non-compliant aggressive marketing strategies, invalid collection of consent and an excessive data retention period.
Österreichische Post AG (Austrian postal service) – fined $20 million for illegally using marketing data.
Deutsche Wohnen SE (German real-estate company) – fined $16.5 million for retaining historical data without a lawful basis.
Eni Gas e Luce (Italian gas and electric company) – fined $13 million for processing personal data and activating unsolicited contracts.
1&1 Telecom GmbH (German telecom) – fined $11 million for failing to have sufficient protections to prevent unauthorized access to customer information.
Dixons Carphone, UK – fined $630,000 for a data breach that exposed customer data to hackers for over 9 months.
Equifax – fined $630,000 for failing to protect user data belonging to 15 million British customers in its 2017 data breach.
(note: organizations are always fined in their local currency, the above figures are approximate USD equivalents at the time of writing)
The Marriott and British Airways cases are still under review, with the final decisions expected to be announced in August 2020.
Additional decisions are being considered regarding fines for Google, Twitter and fashion retailer H&M. It seems that the larger the company and the heavier the fine, the longer it takes the regulators to charge the violators and then to actually fine them.
Has COVID-19 Impacted GDPR?
On May 4, 2020, the Hungarian Government issued a Decree that suspends, during the COVID-19 state of emergency, the one-month deadline that controllers have under the GDPR to reply to data subject rights requests. The Decree also allows public entities to refuse or suspend freedom of information (“FOIA”) requests in certain situations. The Decree has been heavily criticized by civil society groups and prompted scrutiny by the European Data Protection Board (“EDPB”). For organizations with data collection activities that fall under Hungarian jurisdiction, it is worth noting that the EU may well challenge the Hungarian government’s suspension and could even rule it illegal.
More generally, it is likely that the ongoing trend of “Working from home” will also have some effect on data breaches, and these are likely to increase in the 2nd half of 2020, triggering additional GDPR notifications and responses. The International Association of IT Asset Managers (IATAM) has warned that at-home work due to the COVID-19 pandemic is leading to a spike in data breaches that’s greater than anticipated.
Contemporary Trends, Threats And Challenges
GDPR was supposed to reduce the overall number and severity of data breaches by providing companies with an incentive to avoid being fined. But evidence suggests that the effect was not conclusive or uniform across all member countries since it came into effect.
In Britain, for example, breach reporting increased almost 324.24% between May 2018 and May 2019, with the Information Commissioner’s Office (ICO) recording 14,000 breaches over the period. However, the same body reported it received 19% fewer data breach notifications in the first quarter of 2020 than it did in the same period the previous year. This might indicate less fear of the regulator, either due to fines being less punitive than anticipated or to the UK’s impending exit from EU regulation (“Brexit”) and uncertainty about what, if any, regulations businesses will face from the ICO once GDPR is no longer part of British law.
The recent DBIR report noted that hackers are specifically looking for credentials and personal data. 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. This spells bad news for organizations since theft of such data will almost always trigger GDPR notification. Another recent trend is that aggressive ransomware gangs extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain, again triggering breach notifications and all the subsequent headaches.
Has the GDPR Achieved Its Aims?
GDPR redefined privacy as a fundamental right and made our corporate entities stewards of our data. As a result, proper data identification and handling is mandated under GDPR with fines as a severe stick for non-compliance. To measure its success, however, we need to look not so much at the total amount of fines collected, but rather at the mindshift it has created.
This is not limited to European territories, of course. The regulation has become a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina, Indonesia and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with GDPR.
GDPR and similar regulations such as those mentioned above have encouraged organizations to try and prevent or limit the risks of a potential data breach by upgrading and improving their cybersecurity measures, and that can only be a good thing for all.
However, it remains a challenge to many businesses to factor in the cost of non-compliance, when fines can amount to as much as 4% of global annual turnover. For this reason, many businesses operating within the jurisdiction of GDPR or similar regulations have seen fit not only to upgrade their cybersecurity defences but also to instate a Data Protection Officer to take responsibility for overseeing compliance.
There is no doubt that GDPR has changed the landscape of data collection and protection since May 2018, not just in Europe but across much of the world’s markets. However, despite the penalties, the data breaches keep on rolling, and customer data keeps on being leaked and traded.
To some extent, this can be seen as enterprise still playing catch up on years of poor or neglected data protection practices and legacy security technology. The threat actors are still out there punishing those that have not upgraded the technology they need to secure their clients’ data, and the regulators are out there punishing those that have not upgraded their data collection procedures and policies. If that tells us anything, it should be that data protection is a fundamental priority of every data collector. If an organization gets punished by the bad guys, it can expect the regulators to be lining up right behind them.