GDPR One Year On: It’s Time to Look Back
Organisations must treat the data as something they are borrowing or looking after, not something, they own. It needs to be protected in the right way to ensure only those who should use it or see it, can do so.
Photo Credit :
Since the introduction of General Data Protection Regulation (GDPR), European Union (EU) organizations have reported 59,000 incidents which included data breach and other inappropriate handling and processing of data to the various regional “Data Commissioners,” such as the CNIL, an independent French administrative regulatory body in France. The numbers were built upon data reported by EU members but so far less than 100 fines have been issued by regulators.
A law firm, recently released a paper looking into incidents reported — both GDPR breach notification and other kinds of notifications — fines enforced and how reports and fines are spread out across EU members. According to their findings, the European Commission's official statistics show 41,502 data breach notifications between May 25, 2018, and January 28, 2019 (Data Protection Day). Their own analysis has counted 59,430 disclosed data breaches across Europe over the same period with Germany, UK and Netherlands. Together these countries are responsible for two-thirds of data breach notifications.
India is taking steps to enact data protection framework modelled along the lines of GDPR. In 2017, the Indian government formed a data protection committee to study issues related to it. The committee proposed a comprehensive law on data protection called the personal data protection bill which incorporates many elements of the EU’s GDPR. But the report submitted by the committee failed to weigh the economic costs and benefits of implementing a GDPR-style law. For a better data protection framework, India needs to carefully evaluate the direct as well as indirect costs. In order to incorporate such laws effectively more research needs to be done on it.
Recently, €50 million fine was imposed on Google by the French data protection authority (CNIL) for processing personal data for advertising purposes without the permission required under GDPR.The backlog may also be a sign that the EU underestimated the initial volume of incidents it would receive. The reported number of incidents, therefore, cover data abuse as well as data loss, whether accidental or maliciously derived. A separate source, directly from the EU commission, places the data breach related incidents as coming to 41,500 ,for both malicious and accidental events.
Under GDPR, Indian organisations would need to implement sufficient safeguards. This would further increase compliance costs. Instead of seeing this as a burden in terms of compliance, Indian organisations should see it as an opportunity for providing privacy compliance services and solutions. Companies need to review procedures, existing privacy programmes, policies and contracts signed with the third-party vendors. They also need to impart privacy training to their workforce. Furthermore, companies have to now focus on bringing in advanced technologies and must consider encrypting while processing personal data.
The one thing that remains clear from this report is that the effect of GDPR is still not fully understood by organisations. This is quite evident when we see huge number of reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.
The effects and legalities of GDPR are still rippling their way through data processing services. Recently, some, lobbyists from several countries launched a petition to their respective regional Data Protection Authorities asking the them how EU personal data is used in the fast growing space of Real-Time Bidding, a process that determines which advertisements are shown to you online. This is driven by the data companies have about you, which allows them to make the most informed decision on which advertisement would appeal to you the most. The decision of which to show you is made in a split second and, hence, there is no possible way for the user to ‘opt-in’ to the processing of their data. This is separate from the 50m EURO fine placed on Google by the French CNIL earlier this year.
Organisations must have a specific mind-set when it comes to protection of data as the data belongs to the individuals to whom it is linked. Organisations must treat the data as something they are borrowing or looking after, not something, they own. It needs to be protected in the right way to ensure only those who should use it or see it, can do so. It may seem like an obvious shift of perception, but it is vital in terms of the importance we place upon protecting EU-related data.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.