The GDPR, that came into force on the 25th of May, 2018, expanded the EU‘s data protection area coverage, introduced innovations that have an effect on organizations and individuals. Therefore, it was one of the most significant events for companies in the EU and outside the EU that process personal data of the EU citizens. Organizations were forced to review the priorities of processing activities, to introduce new approaches and to develop a culture of personal data processing by minimizing collected data amounts, defining purpose and grounds for processing data, fulfilling the rights of data subjects, etc.
The survey on GDPR compliance
The TechRadar – the online publication focused on technology, recently held a survey with 103 major companies operating in Europe from different industries including retail, media, technology, public sector, finance, and travel. Results showed that even though companies are aware of requirements and now had six months to meet the new standards, many businesses are still struggling to cope with GDPR. It was mentioned in the summary of the survey, that a large proportion is lacking the proper methods of storage, organization, or retrieval of data in line with the regulations’ requirements. And the compliance level seems to be much lower than expected. The most difficult requirements to meet – the new rights of the data subject, such as the right to access and right to data portability.
GDPR concerns not only companies within the EU, but also the ones outside the EU that process personal data of the EU citizens. And, according to the TechRadar, only 35% of Europe-based companies agreed to provide the data for a survey. This includes companies headquartered in the UK, France, Germany, Spain, Sweden, and Italy. However, only 50% of companies that provided data, showed the compliance rate slightly higher for non-European companies. Thus, businesses outside of EU seems to take a more proactive approach to GDPR.
Some industries are more GDPR compliant than others. The TechRadar shared the concerns, that over 76% of companies in the retail industry didn’t even participate in the survey. Financial service providers, on the other hand, were the most active, even though only half of the industry provided the response.
The main cause for GDPR data breaches
According to the ICO, the vast majority of breaches were caused by „human error“. The incompetence or mistakes resulted in 88% of the reported breaches (confidential data emailed to the incorrect recipient, loss or theft of paperwork, data left in an insecure location and others). Only 22% were seen as being related to a malicious activity.
Here are some of well known GDPR data breaches
- The most recent one – Quora hack exposes up to 100 million user accounts as a result of unauthorized access to one of their systems by a malicious third party;
- Amazon hit with a major data breach that caused customer names and email addresses to be disclosed on its website days before Black Friday;
- A Hospital in Portugal receives a fine of 400.000 EUR;
- Radisson Hotel’s Global Loyalty Program Data Breach;
- Google shuts down Google+ after discovering a vulnerability in an API, which made it possible for third-party app developers to access data from the friends of the app users;
- British Airways has suffered a sophisticated data breach affecting around 380,000 customers using its website and mobile app;
- Fined Facebook and AIQ;
- 57 million Uber users compromised;
- Eurostar forces customers to reset passwords after hack attempt and many more.
GDPR six months summary in Lithuania
Lithuanian Data Protection Authority received a mass of requests for consultancy from companies regarding GDPR and the same amount of complaints from data subjects regarding unlawful/ incorrect processing of their data. That is why Lithuanian Data protection Authority still acts more as an assistant, rather than as a punisher.
During 2018, over 6671 consultations were provided. That is 15% more, compared to the number in 2017. The main focus was at such matters as the legality of data processing, innovations brought by GDPR, the expertise of the local data protection authority. Also, video surveillance under the GDPR, the appointment of a DPO, implementation of human rights, direct marketing, and personal data breaches. So far, the Lithuanian Data Protection Authority has not imposed any fines under the GDPR. However, after 19 inspections done during the period from the 25th of May, there were 18 cases when personal data was mishandled.
It is clear by the number of complaints received, that direct marketing is one of the most pressing issues that data subjects meet. During the half of year of GDPR, local data protection authority received 443 such complaints, which is almost the same as in whole 2017 (480). Despite direct marketing, people are actively complaining about data collected and used by debt collectors, the service providers sector and state registries. Also, possible breaches on special categories of personal data, personal identification codes, the legality of processing image data.
After GDPR came into force, data security breaches have become critical to both, public and private sectors. Data security breaches were reported 80 times from the 25th of May (in 2017 – only 7 data breach cases). The main causes – unlawful data disclosure, loss, theft, and plagiarism”