Before the General Data Protection Regulation (GDPR) came into force, it took UK companies an average of 60 days to realise they had been the victim of a data breach. One business took 1,320 days to report. Nine out of 10 reports submitted to the Information Commissioner's Office were missing critical details; for instance, the date the breach occurred.
A common criticism of European regulation in general – one that often appears on the pages of this magazine, in fact – is that it purports to solve a problem that didn't previously exist. From providing increased transparency to investors who couldn't care less to forcing banks to shore up obscene amounts of capital that may not even help them with a specific, unknown problem that arises on a given rainy day at some point in the future, many argue that such rules are a mere representation of the tail wagging the dog.
But these statistics make that argument difficult in the context of the GDPR. In fact, for data and technology in general, the dog is very clearly in control.
Again, for many, their contempt of post-crisis regulation is that it is only capable of preventing future crises if they look exactly like the last one. Huge warehouses of liquid capital won't help banks back on their feet if it's not a capital shortage they're faced with.
Yet any self-respecting list or discussion of the biggest risks to global financial stability is not complete without a mention of cybersecurity and the world's vulnerability to the multitude of threats posed by hackers.
It's no secret that regulators have long struggled to keep up with the sheer scale of big tech and the accompanying risks. But from the GDPR to competition commissioner Margrethe Vestager's valiant work that saw Google pay Ireland €13 billion in back taxes, European regulators are at least trying to get a handle on it.
Arguably the most common refrain on the GDPR in particular is that it's a step into the unknown. Last May it succeeded the 1995 Data Protection Directive, which was drafted when many of Silicon Valley's top executives were still in nappies. Given the progress made in tech over the past 25 years, tackling something new should not be a bad thing.
By forcing firms to report data breaches within a set period of time and threatening to hit them where it really hurts, with up to four percent of global turnover at stake, European regulators are leading the way globally in protecting the data of their citizens.
Plus, the Commission has already shown it's serious on data protection, and may only just be getting started. In less than a year since implementation more than 200,000 cases have already been reported, and Google – leader of the pack, as ever – has already been hit with a €50 million fine.
Say what you like about EU regulators, but when it comes to facing down one of the most significant threats to economic security, they mean business.