Over-Stretched and Under-Resourced: General Data Protection Regulation Two Years On

In 2018, after years of planning, the General Data Protection Regulation (GDPR) was introduced by authorities across Europe. It aimed to modernize the laws that protect individuals’ private information; laws which hadn’t been updated for nearly two decades.

The GDPR was designed to give formidable power to data protection authorities. The threat of fines of up to €20 million or up to 4% of an organization’s global annual turnover (depending on which is greater) had been established. Two years on, although there have been over 160,000 data breaches reported, only a small number of companies have been issued with a punishment.

On the second anniversary of the GDPR, the EU now faces complaints from Brave, a maker of a pro-privacy browser, accusing it of failing to adequately resource data protection watchdogs and enforce the GDPR: “Even when wrongdoing is clear, data protection authorities (DPA) hesitate to use their powers against major tech firms because they cannot afford the cost of legally defending their decisions against ‘Big Tech’ legal firepower.” Brave’s criticism highlights what appears to be a fundamental flaw in the GDPR – leaving funding to the discretion of individual national governments which can mean that it’s not enough to enforce an appropriate punishment.

Enforcement has indeed varied widely across countries, and last year we caught a glimpse of what the data breach landscape may look like in terms of fines in the UK. The Information Commissioner’s Office (ICO) has issued intentions to fine British Airways £183 million, in addition to a potential £3 billion compensation pay-out, after the personal data of around 500,000 customers was exposed from their website and app. Marriott have also been issued with an intention to fine in the sum of £99m. In comparison, almost a third of countries reportedly have yet to issue a single fine.

It was never expected that the GDPR would change the face of data protection overnight. However, the glaring discrepancies highlighted by Brave make it clear that more must be done to regulate data protection across the EU.

Why is GDPR Enforcement Under-Resourced?

For the EU, the original purpose of the GDPR was to “harmonize” data protection legislation and penalties across member states while improving the rights of individuals. To see figures showing that enforcement is under-resourced is disappointing, but it doesn’t come as a huge surprise.

Brave’s report has revealed that just five of Europe’s data protection authorities have more than ten employees specializing in technology regulation – meaning violations of the GDPR by some of the continent’s most powerful companies may slip through the cracks. The ICO, Europe’s largest regulator, is understood to have dedicated just 3% of its 680-strong workforce to tech privacy issues.

The GDPR was designed to revolutionize data protection, but its introduction highlighted the vulnerabilities faced by many organizations, and some failed to adapt. A report by CNBC a year after its implementation revealed that regulators were “overwhelmed” with businesses panicking in the face of tougher new laws. Perhaps it was inevitable that data protection authorities would not have the capacity or funding to cope.

Conversely, an additional burden comes from the many organizations still failing to take the GDPR seriously. In the past year, a huge number of severe data breaches have made the headlines, most recently with Virgin Media exposing the personal details of 900,000 customers and some non-customers. We’ve also seen the Charing Cross Gender Identity Clinic leak highly sensitive personal data on an email chain, and the Marriott Hotel chain exposed the details of 5.2 million customers after hackers gained access to an employee account. The administration generated by these high-profile cases can increase the strain on a system that’s already under pressure.

There is only one solution: properly resourced regulators.

What Are the Consequences of a Lack of Funding?

The purpose of the GDPR fails if regulators do not have the resources to enforce it. Without the threat of punishment, companies will be tempted to flout the law, which can put data at risk. A continued lack of funding for data protection authorities could see companies failing to take the proper steps to process and store data securely. This could lead to dangerous and avoidable breaches of privacy and a rise in attacks from cyber criminals.

Organizations must be encouraged to invest in data protection and cybersecurity and adequately train their employees. This is an important step toward keeping data safe. Investment in data protection can also help to support businesses financially, as inadvertently exposing data can have a knock-on effect for bottom lines: a recent study from iomart revealed that data breaches can wipe 7.2% off an average company share price.

We need to see fines that are brought against companies issued and finalized faster to encourage investment in data protection and cybersecurity infrastructure. The decision to fine British Airways should have been a clear message to other companies but, a year down the line, the case is yet to reach an outcome and has been further delayed due to the coronavirus pandemic.

What Does the Future Hold?

The EU must work to ensure that there is more effective enforcement of the GDPR. European citizens have the right to know that their data is secure across the continent, and that fair and equal punishments are in place for those who fail to comply. Otherwise, despite good intentions, we may end up sleepwalking into a landscape that fails to protect privacy in the way that it should.

Despite the impact of Brexit, the UK will still need to comply with the GDPR. It applies to all companies with EU customers, so anyone continuing to do business across Europe will need to comply to avoid infringements. Although the GDPR will no longer directly apply to UK businesses when the transition period ends, they will be required to fall in line as part of a new regime entitled “the UK GDPR” – which has merged the GDPR with a statutory instrument from the British government that takes Brexit into account. Perhaps this re-evaluation will encourage the investment of funds that the data protection authorities so desperately need.

The coronavirus pandemic has brought further uncertainty to the landscape. Regulators have agreed to take a more lenient approach due to the increased pressure companies now face, but we must not let this take hold long term.