The Information Commissioner’s Office (ICO) has recorded a major jump in the number of personal data breach reports following the arrival of GDPR, with the number of reports climbing from 367 in April to 1,792 in June.
The figures were revealed by Laura Middleton, head of the ICO’s personal data breach reporting team in a webinar session for data controllers, in which she added that the ICO also received 657 personal data breach reports in May, signifying a jump of 173 percent over April figures.
Fear of fines under GDPR propels breach reporting
Considering that failure to comply with the GDPR’s incident reporting requirements can attract a fine of up to €10 million or 2 percent of an organisation’s annual turnover, it is, therefore, easy to understand why the number of reported breaches has visibly increased in a short span of time.
However, according to Anna Flanagan, a data protection expert with law firm Pinsent Masons, the ICO also observed that many of the reports either didn’t meet the threshold for notification or did not contain complete information such as whether or not there had been a breach.
“The ICO identified a number of interesting trends. Again, unsurprisingly, it has noticed an increase in ‘over-reporting’, where controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don’t meet the threshold for notification. Data controllers should focus on maintaining their own internal record of data breaches that do not meet the notification threshold, with their reasoning as to why.
“Incomplete reporting was noted by the ICO as being a problematic issue. The ICO noted that it has received a number of reports essentially setting out that the data controller is unaware of what has happened, including whether or not that there has even been a data breach; and that this lack of understanding into whether or not a breach has even occurred is not compliant with the legislation and not an appropriate notification to make,” she said during the webinar.
More clarity on GDPR a must for firms
What this indicates is that many organisations, especially small and medium ones, are not aware of what kind of breaches should be reported to the ICO and are not carrying out the minimum due diligence to provide relevant information to the ICO, based on which the watchdog can take further action. Clearly, the fear of fines and reputational damage under GDPR is too much to take for many of them, and this is reflected by the urgency to report every incident without carrying out internal assessments.
Richard Walters, Chief Security Strategist at CensorNet, told TEISS last year that organisations should not stress themselves too much about GDPR and the fines that come with it as the ICO will probably grant time and space to organisations to figure out the new law, to shape their policies, and to adjust their attitudes towards data before imposing huge fines under the new privacy law.
“Despite the Data Protection Act coming into force in 1998, it was 2010 before the first fines were issued by the Information Commissioner. The likelihood is that GDPR won’t be an overnight change either, mainly because it’s just not realistic. As with every step into the unknown, the legislation will be a learning curve for all involved, and therefore a cross-over period and a bit of leeway for organisations having to adjust their attitudes towards data will naturally be required and probably granted,” he said.
“That’s not to say that all anyone can do right now is sit twiddling their thumbs waiting for all aspects of GDPR to become crystal clear. Beginning to think about what personal data (as defined in the new legislation of course) you’re storing, where you’re storing it and for what reasons, will benefit your business in the long run. An internal audit of your systems, mapping out exactly where that data is, won’t make your business ‘GDPR ready’ as such, but it could be your first step on that journey and, let’s face it, it’s good business practice anyway,” he added.