Should we expect less secrecy about GDPR performance?
Chances are that you may have heard about General Data Protection Regulation (GDPR) by now. Even if not from expert circles, training or media reporting, then certainly you must have felt the remarkable experience from the reinforced cookie pop-ups (a fact not difficult to predict in advance). But more seriously, GDPR greatly improves the protection of data privacy.
Notably, the regulation broadly introduces two interesting instruments. First, strong data misuse complaints, and second, the obligation of mandatory notification of personal data breach (to the data protection authority, and to the users). About the former you can read possibly anywhere. The latter I covered a while ago.
We’ve got the GDPR. But does it actually work? Yes. Furthermore, and fortunately so, there are three simple key indicators of performance. The one most reported is the volume (number, valuation) of issued GDPR fines (I made a fines how-to here). The two others of importance are
- the filed complaints,
- the filed breach notification notices
Unfortunately, this knowledge appears to be kept hidden deep inside the shelves of Data Protection Authorities (DPAs). Meanwhile, these are important metrics not only for researchers, activists or analysts, but also for the public society (transparency).
Complaints
The number of complaints indirectly indicate many interesting things. This includes the relative societal interest in the general aspects of privacy (i.e. awareness, education), the sensitiveness to data protection matters. Second indicative aspect is the performance of a data protection authority: how fast it resolves the complaints. It indicates if a DPA has enough resources to do its job.
But while it is possible to compare the country DPAs based on the number of queued/processed data, comparing the situation in different countries in general (even aggregating), solely based on the number of complaints is unfortunately not simple. The reasons include the following. First, some countries make it more or less simple to fill the complaint. Second, situation in particular countries obviously differ, for example in terms of the population, the numbers of companies, economy type, and so on. Third, local situation is important (e.g. a single locally widely reported breach may affect the numbers). Finally, and critical for research (comparability), it is unclear if that to date a number of different posted the numbers of filled complaints as of same date.
The process is admittedly fragile, but the public interest in the data is undeniably strong. All the points above considered, early data indicated a significant increase in number of filled complaints. For example four-fold (over 1300) increase in Germany, and two-fold increase (over 6 thousands) in the UK. Situation is similar in other European countries.
The way this data is reported is highly unstructured. The reporting ranges from DPAs informing the public in pretty random moments, reporting by journalists asking DPAs, to simple leaks outside. I am intentionally focusing on the first reporting of breaches, because it was - and still is - in no way standardised. There is no reason to include more of the data announced at the later dates, until the process is stable.
Until January 2019, over 95 000 complaints have been filled through Europe in total. But even here it is unclear if the data have been reported in a standard manner, country-wise. On the other hand, it proves that someone has an easy access to this data.
Data breach notification
The mandatory notification instrument is largely new in Europe in this form. It is among the GDPR gems. Ask at any market or grocery store, people love it. But it is very important, not only due to its novelty. Until GDPR, many DPAs (and consequently, countries) did not have access to this kind of data.
I treat data breach notification as a litmus test of GDPR operation, including how well it is been implemented, respected, and enforced. This is a test of both organisations, and the local DPA; so a situation in a particular country in general.
I also argue that this number is strategically more significant than the number of complaints. The metric indicates how well organisations know their obligations. At some point the problem of underreporting or overreporting will inevitably emerge (I believe we may still have underreporting issues at the moment), which will be an important test for companies (honesty, competences), DPAs (ability to detect issues, and perform proper enforcement action, including corrective measures), but also the countries (what is the policy response to the new data).
Moreover, the number of reported incidents is an indication of the relative quality of data privacy and cybersecurity measures at organisations.
I repeat. It is difficult to compare the numbers between two different countries. But another issue is that the quality of awareness campaigns and trainings might not be simple to compare among the countries. In other words, the proliferation of the knowledge on to “if and when to report a breach” might not be the same. Here, personally, I advise to err on the side of caution (if in doubt, do report the breach!) for many reasons. First is transparency, and second - the actual GDPR practice will take years to develop, be cautious when you can.
Again, I do not see it useful to include the patchwork of announcements by the many countries. Instead, let me just list that until January 2019 over 41 000 breach notifications has been issued. Again, someone has the data. Why can’t it be displayed on a regular basis, in a standard way?
Furthermore in this particular case data protection authorities are not limited to publishing a one dimensional number. We should consider going beyond to learn how many organisations had more than one breach, including the statistics describing the details of data breach extent. For consumers, it is an important information. Additional important metric from a country-centric point of view is the number of breaches in certain industry sectors.
These details are also important information relating to the quality of the data protection authority itself. If an organization has several data breaches in short period of time, what did the DPA do?
In summary...
We lack information on GDPR.
The data exists. But unfortunately the society, as in activists, researchers, users, consumers, citizens - cannot access it.
This complicates the work of the many advisors, consultants, and companies helping organisations with cybersecurity and privacy. Even more importantly, it makes it difficult for European citizens to understand how GDPR helps them, as the figures on data breach complaints effectively remain hidden. Obviously, this unstructured manner is not a result of a deliberate conspiracy. The true issue may be as simple as a lack of process for providing the information in structured manner. This could be understandable in the first months since GDPR arrival. But today?
Fortunately, there is a simple solution.
European Data Protection Board (EDBP) should include the metrics and statistics on its website, in regular intervals. EDPB should have no problem in retrieving the data from particular Data Protection Authorities, and this body is positioned well to introduce the basic transparency measures (and by the way, transparency is at the center of GDPR).
This is the right thing to do. I say this not only as a researcher and advisor, but also as a citizen (with a possibly slightly above-average privacy and GDPR understanding).
I am calling the EDPB to step in and improve the communication of basic GDPR metrics. I see no institutional or regulatory obstacles. However, if you believe otherwise, I would nonetheless be interested to hear your view: me@lukaszolejnik.com