A Data Protection Commission 2018 survey reported that GDPR awareness amongst Irish SMEs is pleasingly high (90%). However, a 2018 MicroWarehouse survey of 100 CIOs and IT Managers found that large implementation gaps remain. Over 50% of Irish SMEs had yet to implement data protection measures, with 30% of respondents reporting that cyber security is ‘not discussed at management level‘. (Ref 1)
A new report by international law firm, DLA Piper shows where such complacency leads. From May 2018 to January 2019, Irish organisations reported 74.9 data breaches per 100,000 population – a higher rate than in all other EU countries apart from the Netherlands with over 3,800 breaches in total notified to the Data Protection Commissioner (DPC). (Ref 2)
So, what happens to stolen or hacked personal data? A UK Independent article about Dream Market, the dark-web website, revealed that the personal data of 617 million accounts went on sale last week. It includes 92 million accounts from MyHeritage.com and 150 million accounts from the MyFitnessPal.com – mostly stolen in 2018 hacks. Interestingly, many datasets for sale were from unreported Internet hacks. Nevertheless, organisations who were in care of this personal data can expect fines – whether they knew they were hacked or not. (Ref 3)
The facts are clear. Too many data breaches occur; more than are officially notified and Irish organisations appear to be particularly vulnerable. Organisations who process personal data have a duty to protect it under GDPR. Apart from fines, the ultimate DPC sanction is a cease processing order which can be served in cases where negligence contributes to a data breach damaging to individuals – like the health inspector closing down a restaurant. Maybe it’s time to check that our data hygiene practices are fit for purpose and capable of protecting the personal data that we hold in our care.