Does Ireland have 3 x or 38 x the notifications of France? And the UK?
How do you compare personal data breach notifications across the EEA, country to country? The bare data is the first step but there’s a lot more to be discovered and discussed.
For example, on their data protection authority’s own figures:
- France averaged 167 Notifications per month from 25 May to 23 November 2018, and
- Ireland had 451 Notifications in September 2018, or 2.7 x France at that time. Ireland is known for its international Tech industry, but is that enough of a reason?
The numbers take on a different relationship considering that there are only 250,000 businesses in Ireland compared to 3.5 million in France. Or that Ireland’s population is just under 5 million whereas France has over 67 million. Keepabl’s BPM Index is an attempt to look deeper into the data, help draw out similarities and differences, and spark discussion.
Why it matters
According to a recent survey of SMEs by Aon:
- ‘over half are confused by or even unaware of the rules around GDPR‘, and
- 68% didn’t know you had to report a data breach to the UK ICO.
This is not good. Particularly when breach notification (and how you handle breaches generally) is a key ongoing governance area under GDPR. The UK Commissioner, in her 4 December speech, put it very clearly:
‘As I’ve mentioned, the ICO has received more than 8,000 breach reports since May and it’s one of the areas that concerns business most.
And rightly so. Because breach reporting is a not a mere administrative responsibility. It speaks to the accountability principle of the GDPR. The accountability principle requires you to take responsibility for what you do with personal data – and have processes and systems in place to demonstrate this compliance.
If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place - as required by law.
I believe that data breach reporting drives companies to invest in better security and better data governance. For this reason, I believe breach reporting to be one of the most significant upgrades in the new law.’
The BPM Index
Keepabl has created the BPM Index and made it available on the Creative Commons licence to increase regulatory understanding and awareness across the EEA, and to help organisations in their compliance activities. The BPM Index is currently comprised of 2 figures, the BPM Pop (normalising against millions of population in a country) and BPM Biz (normalising against millions of businesses in a country).
Over the last few months, we’ve asked each DPA in the EEA for their monthly breach notification data and we’ve enough responses to make for very interesting analysis. We’ve captured it all in a Google Sheet, which we’ll keep updated as we receive more stats. Do take a look and do your own calculations. But now, let’s look at a few examples.
UK, Ireland & France
The UK ICO was already receiving nearly 400 Notifications a month before the GDPR and received a whopping 1,792 Notifications in June 2018. Based on a UK ICO speech in September 2018, it was receiving an average of 1,444 calls per month about notifiable breaches over its breach phoneline. Taking the 1,444 number for September 2018, the UK had 8.6 x the Notifications France had, and 3.2 x Ireland. Why would that be? We can look further into the numbers using the BPM Pop and BPM Biz.
Is a country’s population size correlated to the number of Notifications it receives? Normalising each country’s Notification data against their populations (4.8m for Ireland, 66.2m for the UK and 67.2m for France) results in the BPM Pop for each country.
For September 2018:
- Ireland’s BPM Pop was 93.2 (= 451/4.838),
- France’s BPM Pop was 2.5, and
- the UK’s BPM Pop was 21.8.
On those figures, Ireland’s Notifications were 37 x France in September 2018, and the UK remained roughly the same at 8.7 x France.
The BPM Pop is just one method of looking at the data. It clearly ignores various international effects, for example Ireland’s renown as an international Tech hub, but it does raise interesting questions. And France, which has many more businesses than Ireland, also has a successful tech industry.
So, perhaps the number of businesses in a country is a better number to normalise against? Normalising the Notification data against the number of businesses (250k for Ireland, 2.5m for the UK and 3.6m for France) gives us each country’s BPM Biz.
For September 2018:
- Ireland’s BPM Biz was 1,804 (= 451/0.25),
- France’s BPM Biz was 46.9, and
- the UK’s BPM Biz was 585.5.
On those figures, Ireland’s Notifications again went up to 38.4 x France that month, and the UK increased to 12.5 x France. Is Ireland’s international Tech hub status a sufficient explanation for this multiplier? What about the UK at 12.5 x France?
The BPM Pop and the BPM Biz are just 2 ways to interrogate the data and, while they may not capture various effects and the BPM Biz doesn’t cater for the public sector, they’re interesting indices on their own and may reveal interesting information when compared to the raw data and other indices.
Why the differences?
In its preparation for the GDPR, the UK ICO put in place a system to handle 30,000 breach notifications a year: 1,444 a month is a run-rate of 17,328 a year. (The UK ICO’s also released that they received 4,056 in July to September 2018, averaging 1,352 a month or a run-rate of 16,224 a year.) Whereas CNIL has stated it received 1,000 notifications from 25 May, or averaging 167 a month, which is a run-rate of 2,004 a year.
Is that difference to be expected or is it something to look at further? Is the difference down to the international nature of a country's business? Is it the type of business they have? Does it reflect different regulatory histories and guidance and how should that change with GDPR? Does it reflect more engaged, or simply more, data subjects that a country’s businesses cover? Just for these examples, we’ve based comparisons off France – although many EEA countries score similarly to France – but how should one base comparisons, will a benchmark emerge?
We can't say, and we're not saying, that any particular score is better or worse than any other - we just don't know enough yet. A benchmark may emerge in future, or new BPM indices. We're at the start of the journey, both for the GDPR and the BPM Index, and these are all fair questions to ask.
See the data for yourself
Our aim, and why we've created the BPM Index, is to foster a better and more common understanding of the personal data breach obligations in the GDPR, so we can all find it easier to comply. We hope it will help inform other research and drive discussion on a uniform way to address this key aspect of GDPR across the EEA.
We know the BPM Pop and BPM Biz aren’t perfect. It would be great to cut and slice the data by internal v external actors, public v private sector, and more. But that level of data isn't easily available across the EEA yet. So the BPM Index is a good start, reflecting a commercial, practical approach to generate discussion and awareness.
Over the last few months, we’ve had great co-operation from the European DPAs. In the mid-term, we’d love the EDPB to take on the BPM Index. It seems the right place for it to live and grow as they'll have the cleanest data available.
Here's the underlying data and our White Paper - please do download it and join the conversation.