Organisations operating in the UK are reporting data breaches in greater numbers than in many other parts of the EU, according to law firm Pinsent Masons.
Figures provided to the firm show that, since the General Data Protection Regulation (GDPR) took effect in May 2018, the UK’s Information Commissioner’s Office (ICO) has received a monthly average of 1,276 data breach notifications – 43 notifications per day. Three of the EU’s other largest economies reported breach notification figures significantly lower than in the UK. The monthly average in France, Italy and Spain is 307, 170 and 94 respectively.
The report, based on data gathered from the ICO, Action Fraud and data protection authorities across Europe, highlighted the issue and flagged the impact it is having on the caseload of the regulators.
Under the GDPR, organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals. A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Organisations must notify local data protection authorities of personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it… unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
A separate recent report issued by the ICO revealed that it had received around 14,000 personal data breach reports from organisations between 25 May 2018, the date the GDPR became effective, and 1 May 2019. By way of comparison, the ICO said it had received approximately 3,300 personal data breach reports during the year ending 31 March 2018.
The ICO said that more than 82% of the personal data breaches reported to it since the GDPR has taken effect “required no action from the organisation”. The watchdog highlighted the problem of ‘over-reporting’ last year.
Stuart Davey of Pinsent Masons said: “The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.
“However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic.”