Added awareness leads to greater grumbles.
GDPR has raised awareness among people about their data rights, and it’s this awareness that has, in part, led to a rise in complaints to the Information Commissioner’s Office (ICO).
According to data from commercial law firm EMW, the ICO has received over double the number of complaints, year on year, about data breaches since GDPR was introduced in May, with 6,281 complaints received between 25th May and 3rd July. This figure marks a rise of 160% compared with the same corresponding period last year. The most complaints focused on worries that sensitive personal information, such as health or biometrics data, or financial data was put at risk.
This is exactly the phenomenon we predicted in 1st March post 'How Will The Right To Be Forgotten Affect SMEs?' At the time, we wrote, "as word continues to get out about GDPR; people may want to exercise their right to be forgotten simply because they’ve just heard about it." That now appears to be exactly what's happened.
GDPR (General Data Protection Regulation, of course) has been the hot topic of the year, with companies found to be in violation of the regulations facing fines of up to 4% of annual turnover, or potentially 20 million euros, depending on which figure is higher. Coming into force on 25th May, GDPR was introduced to bring laws protecting individuals' personal information up to date and to replace prior legislation, the Data Protection Directive, which was first introduced way back in 1995. The Information Commissioner’s Office is responsible for enforcing the new legislation, so if individuals have a concern about their data having been breached, lost or stolen, it’s the ICO who they would contact.
So why the large increase in complaints? Well, the considerable amount of media coverage in the run-up to GDPR’s implementation would have obviously raised awareness to the general public of how their personal data is being used and stored. The greater the public’s awareness of an issue, the more likely it is that people are going to want to ensure that their rights and data are being upheld. The focus on businesses to keep their houses in order is greater than ever too, so it’s not entirely surprising to see complaints have risen, although the figures are large.
But even if they did fall foul of GDPR, firms must surely be insured against data loss and security breaches, right? Sadly, this is not the case among a large number of businesses, according to data from cybersecurity outfit NTT Security. Its 2018 Risk:Value report, which polled senior executives from non-IT functions across 12 countries on their attitudes to risk and the value of information security, found that just a third of UK firms had insurance that covered them for security breaches and data loss.
The report points out the dangers on not having any plans in place, with the cost of recovering from a breach standing at £1m, on average. Around half of UK respondents surveyed also had no idea whether or not their company’s insurance covered either data loss or a breach. Furthermore, a third of UK respondents said they there wasn’t an incident response plan in place in the event of a data breach, which could be a real problem now that GDPR is in play.
So what should be done? Certainly, viewing GDPR as a barrier isn’t the answer. GDPR has surely created a lot of extra work for many businesses, and it would be all too easy to view it as an additional burden on already busy workloads. In the end, though, customers are right to be engaged about how their personal data is handled and individuals have undoubtedly become more savvy about IT security. The increase in data breach complaints should ultimately be viewed as an opportunity for businesses to provide customers with the data security they deserve.
Like this post? Let us know in the comments, and check out our other data protection articles.