An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.
The truth might lie somewhere in the middle.
In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.
The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.
Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.
The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.
Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.
What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.
So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:
- Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
- Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
- Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.
While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.