Scrambling for data transparency under GDPR
It’s been a few months now since GDPR was finally implemented, and already it seems to be having the intended effect. In some instances, even too much of an effect.
One of the requirements stipulated by GDPR is that organizations track all data breaches and report certain types to the proper authorities within 72 hours of discovery. This is intended to address the widespread issue of customers being in the dark for potentially months at a time after a breach has occurred. For the UK, this requirement means contacting the Information Commissioner’s Office (ICO), which has now reported a quadrupling in the number of reports since GDPR. During March and April, before the regulations, the total number of breaches reported to the ICO was around 400. In June, the first full month with the policies in place, that number has skyrocketed up to 1,750.
It’s not too surprising to see this kind of mad rush to comply with new rules. Indeed, the ICO is finding itself inundated with endless reports. Businesses are so eager not to be caught napping, they just decide to be fully transparent and share everything. And yet, “controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don’t meet the threshold for notification,” says Anna Flanagan, an attorney at Pinsent Masons.
Even if this is the case, and even if companies and their data controllers need to apply a touch more discretion in evaluating which instances meet the criteria, I think this a positive sign. Entities are concerned, so much so that they’ll even report to ICO over lost pay slips, only to find them a few hours later. A bit overzealous, but better that than apathy.
As I wrote recently, the burden for data protection rests on the entities that handle and process it, not consumers who are not nearly as well equipped for the task. It appears that overall, many are coming to the same conclusion around the world. This includes Singapore, whose Cyber Security Agency’s deputy CEO Ng Hoo Ming states that “History has shown that leaving the industry to self-regulate does not work.” Giving a keynote address at an RSA Conference, Ng voiced support for regulations like GDPR and Singapore’s efforts to increase sound data policy as it continues plans to become a “smart nation.”
I mention this to demonstrate the global spread of this mindset of responsibility. More governments should take note of efforts like GDPR and sound data regulations and implement their own. Even if businesses might be a little too enthusiastic with oversharing, it’s better safe than sorry (“sorry” in this instance meaning “having a damaging megabreach.”)