The Pitfalls of Over-reporting Under the GDPR
After much fanfare, the EU’s General Data Protection Regulation (GDPR) went into effect in May of 2018. In May 2019, the European Data Protection Board (EDPB) issued its 1-year assessment of the GDPR. In the first year, over 89,000 data breaches had been logged by EEA Supervisory Authorities.
While the EDPB report casts a meteoric rise in reported breaches as positive evidence of increased privacy awareness, the plain truth is that many organizations are also over-reporting privacy-related incidents/breaches rather than face the risks of under-reporting. Maybe these organizations are thinking it’s better to be safe than sorry – but in truth, they mistake the simplest course for the safe course. In fact, under- and over-reporting under GDPR carry significant risks, so the only really safe course is to develop the ability to consistently and defensibly assess an incident within the GDPR reporting timeline.
Despite the EDPB’s optimistic interpretation of the numbers, the facts show substantial over-reporting. By August 2018, figures released by the U.K.’s Information Commissioner’s Office (the U.K data protection authority) showed a 500 percent increase in the number of reports it received in June 2018 versus April, before the GDPR went into effect, leading the ICO to comment publicly on “high levels of over-reporting.” A report compiled by law firm Pinsent Mason found that 59 percent of incidents reported to the ICO were closed without further investigation, and 69 percent were found to require no action.
2019 metadata from the Radar Incident Response Management Platform for breaches assessed to date shows that 90% require no notification at all under GDPR, with 7.3% requiring notification to data protection authorities and only 2.7% requiring notification to authorities and individuals.
There are several factors driving over-reporting. There has been uncertainty about the criteria for what constitutes a reportable breach. For example, questions about whether interruption in service, such as a ransomware or DDOS attack, pose a risk to the rights of individuals sufficient to require notification. However, the EDPB has provided guidance, and many of these questions were answered in the early months of GDPR enforcement. Potential fines have no doubt also been a motivating factor: the spectre of handing over €20 million or 4% of annual turnover is enough to chill the heart of any data privacy decision-maker. While there have been a few large fines levied—most notably the €20 million penalty against tech giant Google—in general, GDPR investigators have focused more on improving practices than on punishment.
The biggest factor driving over-reporting is probably the 72-hour reporting window. It’s understandable: from the time a data controller becomes aware of an incident, they have 72 hours to assess and document the causes of the data exposure, the categories and amount of affected data, and the likely impact on affected parties. In addition, they have to document staff training and awareness programs, what prevention measures were in place, what steps have been taken since the incident to mitigate the damage, and the containment plan going forward. That’s a lot to pull together in a short time, and the data-gathering can easily overwhelm the effort to accurately assess whether a breach actually requires notification.
It’s easy to see why organizations have been erring “on the side of caution,” reporting anything that might remotely be notifiable. But is racking up a long string of reported breaches really the cautious approach? What if a potential customer or business partner looks up your compliance record and sees a whole string of reported breaches? Will they want to do business with you? What if a competitor or someone in the media decides to publish your record? Could you be facing a reputational nightmare?
There’s also the risk that, at some point, DPAs will notice that your organization is having repeated, small breaches and decide to investigate what’s not working in your data security and privacy programs. The GDPR rules explicitly reserve the right to re-open an investigation if additional information or incidents come to light. As the Pinsent Mason report says, “It remains to be seen how much weight the ICO will place on organisations suffering multiple minor incidents and what the cumulative effect of these may be in terms of attracting any potential fines.”
All risks considered, the only safe road to GDPR compliance is to have an efficient, repeatable process for incident assessment that includes:
- An automated multifactor risk assessment to ensure consistency and objectivity of your incident risk scoring and decision making
- An automated workflow that accelerates data gathering and ensures that all relevant details have been captured
- Tools that automatically generate needed documentation about incident facts and the risk assessment (because GDPR requires that organizations keep documentation about each incident whether it is reported or not)
As a recent article in Law.com observed, it takes the same amount of time to determine that an incident is notifiable as to determine that it’s not. So, the choice is up to you: assess accurately or guess. What GDPR data authorities are looking for is whether your organization has the tools and processes in place to correctly determine and address data privacy risks. Over-reporting will only show them, your customers, and the public that you don’t.
Are you heading to Brussels for the IAPP Europe Data Protection Congress Nov 20-21? I’ll be speaking to this topic in a presentation titled “Why risk it? The pitfalls of over-notifying under the GDPR” on Wednesday, November 20th in the main exhibit hall. I hope you can attend – or come find the RadarFirst team at booth #26.