Daily GDPR breach notifications are up 20% and fines are up 39% according to a new report.
Law firm DLA Piper has published their third annual GDPR Fines and Data Breech Survey which reveals the number of breaches being reported is rising along with the number and level of fines being imposed.
In the post-Brexit UK the burden of GDPR is little changed according to the ICO:
The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR. – UK Information Commissioners Office
For businesses that operate across the EU and USA the future looks complicated as there is still uncertainty over how exactly the rules should be applied following the dismantling of the data bridge between the EU and the USA by the European Court of Justice . According to DLA Piper:
During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other “third countries” as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt. Ross McKean at DLA Piper
According to the report, regulators are placing some focus on the transparency principle of the GDPR and issuing fines due to overly complex privacy policies, lack of granularity and missing or incorrect information. Another emerging enforcement trend is against failures to provide ‘appropriate security measures’ for personal data.
As a result of enforcement actions being brought by various regulators, we are seeing clarity as what is considered ‘appropriate’ security measures. In particular not performing these (arguable basic) steps would be viewed as a failure by the regulator:
- regular penetration testing
- implementing “server hardening” techniques
- monitoring privileged user accounts
- monitoring access to and use of databases storing personal data
- encryption of personal data, particularly more sensitive personal data
- processing payment card information in accordance with the PCI DSS Standard