window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 1200 627

Written by

Date

24 August 2024

Category


In this article we talk about some interesting statistics involving global data protection laws. 20 stats about data protection that I found interesting. Many companies don’t think about the severity and impact data protection has on data subjects, IT security, and brand reputation. In this article I wanted to start talking about some of these topics with some real world stats. For each one I’ve put some rational behind the information.

The information and statistics in this article are accurate when the article was published.

With data protection having an incident response plan is essential. If a potential data breach should happen, within the business who will be notified, what are the responsibilities, who will co-ordinate etc.
There are 3 scenarios here

  • Companies that don’t have any data protection in place.
  • Companies that have data protection in place but have not got an incident response plan.
  • Finally, companies that have an incident response plan but never test the plan.

Taking the last two points in the list, there are companies that don’t have an incident response plan in place. If they don’t have an incident response plan then need more awareness training of the potential threats. Any organisation could be the target of a cyber attack and it’s how they deal with it can depend on the fine imposed.

There are also companies that have an incident response plan but never test the plan. How do you know it works, are staff and management involved aware of their responsibilities.

According to a UK government website 76% of consumers are influenced but how an organisation handles their personal information. Increasingly I’m seeing companies get more subject access requests on a year to year comparison. This does indicate that data subjects are considering how their personal information is being used and are asking questions to companies.

If a brand is involved in a data breach this will definitely impact brand loyalty and revenue. There is a study by Ayruz that talks about brand loyalty and consumer after a data breach. In the study it mentions that U.S. brand Target seen a 16% drop in sales the first quarter after a data breach was publicised.
Impact of Consumer Loyalty after Brand Data Breaches | Ayruz

Another interesting stat on this topic is that 47% of data subjects across 12 countries ended relationships with companies due to concerns over data privacy. There are instances where consumers may have a long term service or subscription with a company and this services have been terminated due to data privacy concerns. This could be with a bank, credit card company, TV subscriptions service, insurance company, loyalty membership with an airline etc.

Fortune Business Insights says “The global data protection market size was valued at USD 131.82 billion in 2023. The market is projected to grow from USD 150.38 billion in 2024 to USD 505.98 billion by 2032, exhibiting a CAGR of 16.4% during the forecast period”.
Source: Data Protection Market Size, Share | Growth Report [2032] (fortunebusinessinsights.com)

The above article in the Fortune Business Insights puts the growth to date down to:

  • Increase in cyber crime
  • With Covid and people having to work remotely from home. Companies had to invest in remote solutions to protect devices like laptops as well as the data on the devices.

For the above reason this has seen a significant growth in the data protection market.
If this prediction is correct for 2023 then this tells me that cyber crime will increase during this period and the global data protection market will need to follow suit.

Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting the files to prevent the organisation accessing the data. A Cybercriminals will then demand a ransom in exchange for unlocking the files or device.


With regards to personal information ransomware is one of the biggest cyber security threat especially personal information within the airline industry. Cyber criminals have the perception that airlines handle lots of data with personal information of passengers. This is correct. But there is also the perception that all airlines are cash rich. This is not always the case. For this reason airlines are targeted by cyber criminals with the intention of ransomware attacks.Criminals can spend weeks, even months trying to infiltrate the data system of a business and for that reason they demand large amounts of money to release the files / devices.

This decision will depend on a number of factors but most companies would want to see their systems back in place as quickly as possible and to ensure the security of the customers personal information. For this reason companies do pay the ransoms. This is one of the reasons why ransomware attacks are on the increase. Previously I’ve never considered the percentage of companies that pay the ransoms but this number is in the region that I would have expected.

With more and more data being stored in the cloud then this is the way that cyber criminals are using to gain access to systems. If a hacker wanted to gain access to a system that was not cloud based they would need to bypass a companies firewall system to get an external access to internal systems.

With cloud there are security measures in place but as the data is stored externally this is an easier target. If an organisation did not put adequate security in place then this could leave the data (including personal information) vulnerable. In number 15 below we talk of using multi factor authentication, this is one method to secure cloud data.

I would have expected there to be a rise in cloud based cyber security attacks but 75% is very high. This shows that organisations are leaving themselves vulnerable and cyber criminals are taking advantage of this.

We can see in this article that data breaches from cyber crime is on the increase. So companies are having to spend more to protect their data assets. An example of increased cyber threats are here at the Datahub offices we have see an increase in individuals or groups trying to access our systems. For example:

  • Trying to access our cloud services.
  • Trying to gain access to our website.
  • Also, calling our offices pretending to be an engineer from our internet provider saying that there is warning and error messages coming from our router. They then try to get us to allow them remote access to our router.

Fortunately we have the safeguards and technical knowledge to put the necessary security measures in place. With examples like this all organisations are setting aside more of the budget for cybersecurity.

With the EU GDPR if a data breach occurs that contains personal information the breach must be reported to the supervisory authority within 72 hours. So companies are obligated to disclose the beach very quickly. This includes in most cases notification to the affected data subjects. Usually with large organisations that have shareholders then make an official statement with information.

When this occurs I can see that shareholders reluctant to invest or in some cases be associated with the organisation. So experiencing a drop in stock price is understandable.

When I talk at large events about data protection and get onto the topic of data breaches I emphasise that data breaches can potentially lead to loss of customers and nervous investors. Customers may not want to do business with a company that may not protect the personal information sufficiently. But also any investor may get nervous about their investment as they are investing to make money.

When I see Data breaches they can be classified into three categories:

  • External Malware
  • Unintentional Insider Breach
  • Malicious Insider Breach

External malware is a cyber attach from an external source. The malicious insider breach could be where an employee is removed from the organisation and is not happy. They decides to take a copy of some data, lets say a marketing mailing list containing customer names and addresses as a malicious act.

The second in the list, unintentional insider breach is where an employee makes a genuine mistake that could potentially lead to a data breach. There are times when this does happen.

Lets look at this example, the individual takes a photo in his workplace and innocently posts it on social media. Some may think what’s the harm in that?

But zoom in on the image there is a yellow note under one of the monitors that has a password written down and visible.
This is an example of an unintentional insider breach. You may say, but this wouldn’t happen in our organisation, but this does happen. I’ve seen similar examples when conducting data protection audits.

With awareness training and regular data protection audits potential data breaches from human error can be vastly reduced. These types of breaches are preventable.

According to Security magazine (www.securitymagazine.com) 78% of individuals use the same password for more than one account. 52% use it for at least three accounts, and 4% use it on at least 11.

Unfortunately it’s a common practice for users to use the same password across the different systems. I realise that remembering multiple passwords could be difficult but having the same password for multiple systems is a bad practice. If the password should get compromised then this gives hackers access to multiple systems. They realise that users do this and will try the password on the various systems.

EU GDPR Article 39(b) tasks of the data protection officer, states that it’s the responsibility of the DPO to monitor compliance with “awareness-raising and training of staff involved in processing operations“. This does not mean that the DPO has to carry out the training but to monitor that training is carried out. With this percentage the problem could lay with the fact that not all organisations have a DPO. Under EU GDPR having a DPO is not mandatory. I’m not using this as an excuse but is could be a factor.

Statista claims that only 58% of US and UK organisations regularly conduct data privacy staff training.

Personally I think this is accurate. The amount of companies in the UK that I’ve spoken to at events where I’ve been presenting that have data compliance in place as a legal council to interpret the law. But does not include staff awareness training as part of the data compliance programme. If what I observed in the UK similar in the U.S. then I can believe that this information is accurate.

The above graph is for the Status of implementation of data privacy measures at U.S. and UK organizations as of May 2023. U.S. UK companies data privacy measures 2023 | Statista

This may sound a lot but there are a number of sources that state similar numbers to the Information Commissioners Office. For example, IBM have stated that the cost of a data breach in 2024 is 4.88million dollars.
Cost of a data breach 2024 | IBM

With the EU GDPR being enacted in 2018 marking the start of the modern data protection laws, may countries looked at GDPR for it’s adoption and acceptance. With the EU commission rolling out GDPR, enforcing the laws, and acting on companies with large fines many countries have followed suit and implemented a similar law to EU GDPR.

Especially with data breach notification the modern data protection laws are all aligned with notifications to both the authority and the data subjects.

In todays world of world travel, internet transactions for online retail sales and online banking, Countries around the world have a need to transfer personal information. For this to happen then common standards of data protection are required. In GDPR terms this is called, an adequacy decision. Where there is no adequacy decision between the EU and the country in question, then they are considered a third country and standard contractual clauses (SCC) are put in place for transfers to happen. Again the SCC provides then increased security and protection along with transparency and accountability.

There are variances between the data protection laws from country to country which poses the first challenge for organisations. The second challenge is where the transfer involves a third country and SCC’s are used.

With all the different data protection laws it could be confusing to many companies, I get that.

Datahub are exerts in multiple data protection laws across the world and can advise any organisation regardless of location of the data protection laws and how to approach cross border transfers.

A survey conducted by DLA Piper revealed that in the EU Germany Netherlands, and Poland were amongst the highest number of data breach notification during 2023. With this statement the severity of the data breaches needs to be taken into account. A country could have a high number of data breaches reported to the supervisory authority but a country with a lower count could have breaches with a high severity. When I talk of severity I’m talking of the number of data subjects impacted, the type of personal information involved, and the actions of the company after the breach.
GDPR Fines and Data Breach Survey: January 2024 | DLA Piper

A method a hacker uses to gain access to a system is to get the username and password of a user and then gain access under those credentials. With multi-factor authentication (MFA) this makes it more difficult for the hacker and preventing data breaches.

Data Protection Risk and Compliance

With MFA you have to authenticate with multiple methods to access a file or system. For example a username and password is one method of authentication. But then also having to put in a code sent to your phone via an authenticator app would be a second authentication method. Only one that multiple authentication methods have been successful then the use will get access to the system. We are discussing cloud storage systems but MFA can also be applied to devices like laptops etc.

For all cloud systems MFA is available for organisations to implement and this should be done by the IT infrastructure or IT security team. So to see that only 69% of companies use MFA I find this difficult to understand. I would have expected this to be in the 90% region. With the audits that I conduct this is a easy and quick win to implement.

I’m not surprised by this number. Many phone users don’t realise the amount of apps on both IOS and Android devices that collect and process significant amount of data about the user. for example the amount of apps that utilise the GPS location. Most of these apps state in the terms and conditions that they will collect information on the users, but people like myself don’t read these for all apps downloaded.

In the settings a lot of this data collection can be switched off, but when installed is on by default.

Above I mention that data subjects are acting on data subject access requests to have more control over how their personal information is being processed. With data breaches being publicised and more data protection laws being enacted then more and more data subjects are considering how their data is being used. In my opinion this is definitely a trend that will increase year on year.

This may seem very high but trying to validate this statement I found that IBM stated that “It takes 277 days on average to identify and contain a breach” in their Data breach action guide.
If a company has a data breach response team and action plan then this should be reduced. It will depend on a case by case basis taking into consideration the size of the company, the amount of systems they have that contain personal information, the IT security measures in place, and how quickly the it systems can ne isolated, taken offline, and actions taken etc.

I’ve personally observed a company that had a data breach and it took 7 months to identify and contain the data breach. In this instance they brought in third party specialist cybersecurity specialists to support. The company had lots of data systems with personal information as they processed data for many different clients that they worked with.

This is common throughout the world, not just the U.S. To be honest I would have considered this to be sightly higher than 56%. As a data protection professional if I do look at a company website about using their services I do look at the privacy policy. For me if they have a well written privacy policy that is clear and transparent it given me confidence that they take data protection seriously.

Risk and compliance Image showing man signing a contract

Many people will accept and sign for a service or product without looking at the terms and conditions. I have been guilt of this as well. You may enter into an agreement not reading the terms and conditions and not understand what the company are going to do with your personal data.

At the minimum if you are going to start a service with a company look on their website privacy policy first. If any of this then gives you any concern then ask questions to the company.

Contact Our Team

If you are interested in have a conversation about your data data protection and what is possible then what are the next steps!

Contact us: Contact us | DataHub Consulting
Datahub Consulting Website: Data Consultancy Services | Datahub Consulting

Find out how we can help

We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.

Contact us