Months have passed since GDPR went into effect, and already we’re seeing an impact. Our counterparts in the UK, for example, note that event reporting is seven times higher over the last three months than it has been in the last year.
This indicates that people respect the new regulations so far. Whereas before they may have stayed silent about breaches, they are now calling in and reporting them. And it’s more than just reporting. We’re also hearing from people who aren’t dealing with a live incident but are requesting pre-breach support. In addition, attorneys who specialize in privacy issues say they have never been busier, especially during the run-up to the May 25th enforcement.
Organizations aren’t the only ones who are more conscientious of the data privacy rules. Citizens are more vocal about protecting their data. According to The Guardian, French data protection regulator, CNIL, saw a 50 percent increase in breach complaints since GDPR went live. In Austria, CNIL reports that, “more than 100 complaints have been filed in the last month, along with 59 breach notifications — the same number that would typically be received in eight months.” Where in the past there was little to no reporting, countries are now seeing a lot of activity.
There may be a downside to this flurry of reporting. For one thing, it’s unclear whether EU governments have the resources necessary to enforce the mandates. A year ago, there was a need for 17,000 people to staff the EU data protection agencies; today there are still upward of 5,000 positions unfilled.
Since organizations are self-reporting their compliance levels, it’s impossible to know how close to 100 percent ready they are today. Based on what we’ve seen, many of our clients were roughly 60-70 ready in the lead up to the May 25th deadline and are continuing to work toward that 100 percent goal today. Certainly, the steep fines and the public exposure will provide extra incentive to push for total readiness.
What will change the landscape of GDPR and its effect in the marketplace is the first big fine. I expect that will have a market effect on preparation and compliance. We witnessed this in 2003 when California passed the first American law requiring breach notification.
Two months in, it’s still too early to know the precise impact GDPR will have on the prevalence and severity of data breaches. But so far, organizations appear to be taking it seriously and complying with the 72-hour notification laws. Citizens, too, aren’t hesitating to let officials know their concerns and are more aware of the importance of data privacy.
It has clearly begun to make an impact.
Download our Data Breach Response Guide now.