It’s sad but very much expected that even after two years of existence in
Europe, the GDPR is under complete danger of failing as the regulators remain under-resourced.
A report by Brave, the makers of a pro-privacy browser, confirmed that the European
governments had not managed to completely equip their national regulators for GDPR
enforcement. The report revealed that only five of Europe’s total 28 national enforcers of the GDPR have over ten tech specialties each. And half of EU enforcers of the GDPR have a basic small annual budget of just €5 million or less.
The two years journey appears to be a struggle for the countries that signed up to the GDPR, as it stands today. For instance, despite being the UK Government’s privacy regulator and Europe’s largest and most expensive one to run, only 3% of their total of 680 staff are focused on tech privacy problems. The report has stated the root cause to be under-resourcing.
The lack of dedicated, skilled staff, coupled with non-sufficient funds, explains why there have been limited fines handed out to businesses that have experienced data breaches in recent years. These substantial but partial fines have failed to act as a warning.
And now, in just a month of the second anniversary of the GDPR, EasyJet airlines announced a monumental data breach affecting about 9 million of its customers. It is evident that no lessons are learned, and there is a distinct lack of deterrent for organizations to act in accordance with the law. When a significant regulatory fine that drives up to a multi-billion pound compensation settlement is issued, real changes should have been seen by now. But it hasn’t, and even now, enterprises can anticipate more breaches.
The lack of attention and skilled resources outlined in the Brave report could mean that it will take years for these fines to filled and handed out. In turn, this could diminish the GDPR’s authority over the approach that businesses have to cyber security. A continued lack of funds for data protection watchdogs and lag in swift execution of fines means that businesses will fail to take adequate steps to protect data.
Going forward, GDPR enforcement will need more dedicated staff and funds. There is no
benefit of having laws and rules in place if regulators lack enough resources to enforce them.
Enterprises are currently at a crossroads where the European governments have the
opportunity to boost their cybersecurity capabilities and implement these rules they signed up to a couple of years ago. If industries continue with the same irresponsible behavior, more organizations are likely to fail to protect personal data, exposing them to hackers.
It’s sad but very much predicted that the GDPR introduced in Europe
about two years ago is under complete danger of failing as the regulators