A recent information security report revealed that 2019 is well on its way to being the worst year on record for data breaches.
We haven't even reached the fourth quarter of 2019 yet, but breach numbers are already 54% higher than all of 2018, with the number of records exposed in those breaches up by 52%.
Almost 4000 separate breach events were reported between January and July. Over 4 billion consumer records were compromised - with just 8 major breaches responsible for 80% of those records.
Data disaster? Not exactly.
In fact, in the long run it's a good thing.
Into the breach
On the surface, the recent spike in data breaches is a confusing development.
After all, in May 2018 the biggest overhaul of data protection regulation in 2 decades went live: the GDPR.
The GDPR lays out a comprehensive set of requirements for businesses that hold the personal data of EU citizens, including:
- Mandatory privacy impact assessments
- Transparent privacy notices with clear opt-in
- Obligations to provide and erase personal data at the request of the subject
The regulation forces businesses to consider how they are processing and storing personal data, and to take all necessary steps to protect that data from loss, breach or theft.
To enforce the importance of businesses grabbing a firm hold of their data governance, the GDPR gives European information commissioners' offices the authority to levy eye-watering fines on negligent companies - up to 4% of annual global turnover or €20m, whichever is greater.
British Airways and Facebook have already borne the brunt of the GDPR's financial clout, making front-page news in the process.
So why have data breaches been increasing in frequency since May 2018?
Has the GDPR proved completely ineffective?
Or even worse, backfired by scrambling panicked businesses to overhaul their data processes, inadvertently opening themselves up to greater breach risk than before?
In fact, the GDPR is doing exactly what it's supposed to.
Greater visibility
The GDPR's sharpest focus is on businesses that fail to report data breaches as they occur. Its heaviest financial penalties are reserved for organisations that experience a data breach, but fail to report it to their national information commissioners' office within 72 hours.
Rather than a raft of fresh data breaches, the recent spike in activity can be seen as businesses responding properly to their GDPR obligations and owning up to breaches quickly and honestly.
The GDPR was designed to give citizens greater agency and knowledge of how their personal data is being used or, in case of breaches, abused.
Carpet-sweeping and burying heads in the sand is no longer an option for businesses mishandling personal data. Transparent admission of breaches and a clear CAPA plan are now essential to avoid severe financial punishment.
And as any quality manager or data protection officer knows, effective corrective action is impossible without acknowledging and tackling the root cause in the first place.
So the spike in data breaches - or more accurately, reported data breaches - is no bad thing.
Data breaches have always been frighteningly common. Bringing them into the light makes for alarming numbers in the short run - but ultimately, gives subjects the truth about when their data is at risk, and forces companies to take steps to prevent future slip-ups.
We can expect the number of data breaches to begin to dip in the near future, as they're confronted honestly and under public scrutiny.
Further reading
We attended the inaugural Data Protection World Forum last year and learnt 9 key data insights and developments. Read up here.
Not got to grips with the GDPR yet? Access our free toolkit with templates, tools, engagement videos and more:
Share your thoughts on this article