OK, this is one for the GDPR-Geeks!
How do you compare personal data breach notifications across the EEA, country to country?
The bare statistic is the first step, but doesn’t tell you much in reality.
For example, France averaged 167 Notifications per month from 25 May to 23 November 2018. Ireland had 451 in September 2018, roughly 3 times more than France. Ireland is known for its Tech industry, but is that enough of a reason? Perhaps. But considering that Ireland has 250,000 businesses compared to France’s 3.5 million, or that Ireland has a population under 5 million and France has over 67 million, the numbers take on a different relationship.
The BPM Index is comprised of 2 figures (BPM Pop and BPM Biz). It’s a serious attempt to increase regulatory understanding and awareness across the EEA, to help our customers and other organisations.
Keepabl helps public and private organisations comply with the GDPR. But, given the 28 (for now …) Member States and 3 more EEA Members, all with different regulatory histories, that isn’t always an easy thing to do.
We truly believe we’re blessed with excellent regulators in the privacy industry who promote compliance in a practical and commercial manner. However, when we noticed interesting patterns in early data on personal data breach notifications, we looked for a way to enable discussion and learning across the EEA.
The BPM Index may be that way. We hope you find it as interesting as we do and we look forward to the discussions to come.
As above, Ireland’s number of Notifications in September 2018 was 451, and France’s monthly average at that time was 167. On the face of it, Ireland had 2.7x the number of Notifications – interesting in itself.
But normalise that against the populations of 4.8m for Ireland and 67.2m for France, and Ireland now has 31x the Notifications that month.
And normalise that against the number of businesses (250k for Ireland, 3.56m for France) and Ireland now has 38.4 x the Notifications.
We’ve tried to compare apples to apples by taking EU data for populations and business numbers and a DPA’s own data for the number of Notifications. We’d be happy to be pointed to something we’re missing in the data or the calculations, but the main point remains: why is there a difference per capita or per business between nations? Is it the international nature of the country’s business? Is it the type of business they have? Does it reflect different regulatory histories and guidance? Does it reflect more engaged, or simply more, data subjects that a business covers? We can’t say, and we’re not saying, that any particular score is better or worse than any other – we just don’t know enough yet – but a benchmark may emerge in future. We’re at the start of the journey, both for the GDPR and the BPM Index, and these are all fair questions to ask.
Keepabl’s aim in publishing the BPM Index is in fostering a better and more common understanding of the personal data breach obligations in the GDPR, so we can all find it easier to comply. It’s why we’re sharing it on the Creative Commons licence. We hope it will help inform other research – it would be wonderful if academics and researchers joined the discussion.
We know the index isn’t perfect – for example, it’d be great to cut and slice the data by internal v external actors, public v private sector, and more. But that level of data isn’t easily available across the EEA right now. So the BPM Index is a good start, reflecting a commercial, practical approach to compliance. Over the last few months, we’ve had great co-operation from the European DPAs. In the mid-term, we’d love the EDPB to take on the BPM Index. It seems the right place for it to live and grow as they’ll have the cleanest data available.