Before the General Data Protection Regulation (GDPR)
came into force, it took UK companies an average of 60 days to
realise they had been the victim of a data breach. One business
took 1,320 days to report. Nine out of 10 reports submitted to
the Information Commissioner's Office were missing critical
details; for instance, the date the breach occurred.
A common criticism of European regulation in general
– one that often appears on the pages of this
magazine, in fact – is that it purports to solve a
problem that didn't previously exist. From providing increased
transparency to investors who couldn't care less to forcing
banks to shore up obscene amounts of capital that may not even
help them with a specific, unknown problem that arises on a
given rainy day at some point in the future, many argue that
such rules are a mere representation of the tail wagging the
But these statistics make that argument difficult in the
context of the GDPR. In fact, for data and technology in
general, the dog is very clearly in control.
Again, for many, their contempt of post-crisis regulation is
that it is only capable of preventing future crises if they
look exactly like the last one. Huge warehouses of liquid
capital won't help banks back on their feet if it's not a
capital shortage they're faced with.
Yet any self-respecting list or discussion of the biggest
risks to global financial stability is not complete without a
mention of cybersecurity and the world's vulnerability to the
multitude of threats posed by hackers.
It's no secret that regulators have long struggled to keep
up with the sheer scale of big tech and the accompanying risks.
But from the GDPR to competition commissioner Margrethe
Vestager's valiant work that saw Google pay Ireland €13
billion in back taxes, European regulators are at least trying
to get a handle on it.
Arguably the most common refrain on the GDPR in particular
is that it's a step into the unknown. Last May it succeeded the
1995 Data Protection Directive, which was drafted when many of
Silicon Valley's top executives were still in nappies. Given
the progress made in tech over the past 25 years, tackling
something new should not be a bad thing.
By forcing firms to report data breaches within a set period
of time and threatening to hit them where it really hurts, with
up to four percent of global turnover at stake, European
regulators are leading the way globally in protecting the data
of their citizens.
Plus, the Commission has already shown it's serious on data
protection, and may only just be getting started. In less than
a year since implementation more than 200,000 cases have
already been reported, and Google – leader of the
pack, as ever – has already been hit with a €50
Say what you like about EU regulators, but when it comes to
facing down one of the most significant threats to economic
security, they mean business.