The General Data Protection Regulation (GDPR), the European Union’s digital privacy regulations introduced in Europe nearly two years ago, is in danger of failing because regulators have not been properly resourced, according to a complaint filed with the European Commission against all 27 member states by privacy focused web browser Brave
In the filing, Brave said that governments across Europe have failed to give data protection agencies “the human and financial resources necessary to perform their tasks.”
Dr Johnny Ryan, chief policy officer at Brave noted, “If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities.” The claim is that half of Europe’s data protection authorities have an annual budget under €5 m and that just five national regulators currently employ more than 10 investigators.
Ryan said that the number of technical specialists on the staff of regulators across Europe varied significantly. Studies show that Germany was out in front with 101 specialists at its data regulators and this accounted for roughly 13% of the total headcount. The UK’s Information Commissioner’s Office was in fourth place with 22 or just over 3% of its total staffing while Spain and France both had more specialists, despite their regulators being less than a third the size of the UK’s by number of staff.
Under the GDPR, any organisation using and storing EU customer data is responsible and accountable for the storage and processing of it. Failure to comply can result in fines of up to 4% of global revenue or €20m, depending on which is higher. The rules served as a model for new privacy rules in Brazil, Japan, India and elsewhere.
Breaches of data have also come under intense scrutiny due to COVID-19 and the ensuing lockdown environment whereby significant numbers of people are working from home.
The GDPR posed specific challenges for the financial sector because of the vast quantity and types of data within their organisations which are considered high value for hackers. They had to invest in staff and new technology which were both expensive and time consuming. Implementation costs for UK banks alone, ran to an average of £66m, the highest spend of any industry sector, according to consulting firm Sia Partners.
Regulators have acknowledged the problem in a February survey of privacy regulators in 30 European countries to the European Data Protection Board. It found that 21 believed “resources were not enough” to fulfil their responsibilities.