momius -

GDPR exposes breach reporting flaws

In the month since the GDPR compliance deadline, it has become clear that many organisations are not well prepared for personal data breach notifications, says PwC’s data protection lead

While it is too soon to identify any trends around the enforcement of the EU’s General Data Protection Regulation (GDPR), the past month has exposed serious failings in organisations’ ability to notify of personal data breaches, according to Stewart Room, data protection lead at PwC in the UK and globally.

“We had some very challenging experiences, with new customers struggling with GDPR requirements for personal data breach disclosure,” he told Computer Weekly.

“The past month has revealed the extent to which organisations are not properly prepared for data breach disclosure, with some organisations lacking procedures and processes, resulting in people being unsure about what needed to be done, who should do what and who was in charge.”

Despite having a two-year grace period until 25 May 2018 to prepare for the GDPR, Room said many organisations did not appear to have matured their data breach notification processes over that time.

“With some of the cases we have been dealing with, I have been getting the impression that it was the first time the organisation had ever dealt with a breach notification,” he said. 

Room said his experience in the past month suggested preparatory work around data breach notification had not been as complete or as good as it needed to be.

“The breach notification cases we are handling are not for clients that we helped prepare for GDPR, but their inability to cope with real-world incidents suggests that whatever planning they did was ineffective,” he said.

Room said this underlined the importance of organisations identifying the scenarios that are most important to them and ensuring that have they understood what needs to be done to deliver the desired outcomes of their programmes aimed at achieving GDPR compliance.

He reiterated the advice he gave in the run-up to the GDPR compliance deadline that organisations should be focused on the minimum viable product they should be delivering to achieve the necessary outcomes, such as fielding customer complaints and ensuring they are acted on promptly and effectively.

GDPR-related rights activity spikes

As predicted, Room said there had been an increase in data subject access requests and other activities as European citizens exercised their new rights, as well as a flurry of GDPR-related litigation and complaints, led by Austrian lawyer and digital rights activist Max Schrems.

The sharp increase in the number of complaints to regulators across Europe shows that there is strong public interest in the new rights under the GDPR, he said.

The UK’s Information Commissioner’s Office (ICO) has reported a rise in breach notifications from organisations, as well as more data protection complaints, according to The Guardian.

Room said it was still unclear how many complaints had reached the ICO and data protection authorities across Europe, or the actual volume of requests received by organisations from citizens exercising their GDPR rights, because no one has published any statistics yet.

“I have not yet seen anyone detailing their experience post-25 May. Cards are being played very close to the chest, but based on first- and second-hand experience, and what the regulators across Europe have been saying, there has been a significant increase in activities such as data protection enquiries, the exercising of data subjects’ rights and complaints,” he said.

However, Room said the demand for professional services related to GDPR requirements had tapered off in the past month, after reaching a peak in the run-up to 25 May, driven in part by panic.

“Many organisations were panicking because they viewed 25 May very much as the finishing line rather than the beginning of a new way of doing things under the GDPR, resulting in a remarkable spike in demand for professional services in the final month,” he said.

Read more about General Data Protection Regulation

But Room said demand had since subsided to pre-May 2018 levels, with new business comprising mainly of requests for help with data breach notifications and for reviews of data protection programmes.

A third source of new business in the past month, he said, has been helping organisations deal with some of the “blowback” in response to the flood of emails that hit many people’s inboxes around the end of last month as organisations asked for permission to collect and process personal data.

“The clients we were working with in the run-up to the GDPR did not adopt similar outreach strategies because they understood that consent is not the only legal basis for processing information,” he said.

According to Room, the privacy and electronic communications regulations has a legitimate interest basis for direct marketing for email in certain situations that does require consent.  

Legitimate interest is also one the five legal bases under the GDPR that can be used as an alternative for consent, as Chris Combemale, CEO of the DMA Group, which includes the Direct Marketing Association (DMA), told a Westminster eForum seminar in London in February.

“Organisations that analysed the law and their databases correctly did not automatically follow a re-permissioning strategy,” said Room.

As a natural consequence of following a re-permissioning strategy, he said organisations were experiencing an increased level of activity around GDPR rights from customers and some negative reactions to the flood of emails people received as a result.

“I do not have any statistics for these companies to compare with those which did not mount outreach campaigns, but spikes in GDPR-related rights activity seem to be associated with organisations that did go down that route,” said Room.

Due to the maturity of the regulatory and political systems in Europe, Room said it was unlikely that any trends would emerge any time soon.

“There will be official findings only after enough evidence has been gathered. In the meantime, things are progressing very much as expected and it is business as usual in the regulatory environment in terms of issuing guidance, dealing with enquiries and law enforcement activities,” he said. 

Read more on Privacy and data protection

Data Center
Data Management