It’s been almost a year since the EU’s data privacy regulation went into effect. It’s been very successful in one
regard, but largely failed in another.
The EU’s General Data Protection Regulation went into effect on May 25, 2018, but online privacy experts are already scrutinizing the policy’s effects. Last week in London, the International Association of Privacy Professionals hosted a retrospective panel on the GDPR’s first year, which French regulator Mathias Moulin emphasized “should be considered a transition year.”
Transition year or not, early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data. At the panel discussion, Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. In June 2018, companies self-reported 1,700 data breaches, and Eckersley estimated that the total will be around 36,000 breaches reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches. Across Europe, nearly 60,000 breaches were reported during just the first eight months of the GDPR, according to a survey released last month by law firm DLA Piper.