The Information Commissioner’s Office (ICO) has recently released its annual report for 2017 – 2018. This provides a fascinating insight into the ICO’s priorities and some early clues as to its likely approach to GDPR enforcement.
One of the most obvious impacts of GDPR will be on the number of breaches reported to the ICO. Historically, breach reporting has been optional with no obligation to tell the ICO, although major breaches have increasingly been reported voluntarily. The annual report figures state that in 2016-17 2,565 breaches were reported, with this jumping to 3,311 in 2017-18. The annual report covers the period to 31 March 2018 (i.e. before GDPR came into effect) which makes the jump striking.
This does not necessarily mean that there were more breaches, it could simply be that a higher proportion of them were notified to the ICO. Carrying out GDPR preparation work may have helped organisations to identify potential breaches more easily, and the heightened awareness during this period could have led to the jump in notifications. In addition, at Shulmans, we have worked with clients who treated pre-GDPR breaches as an opportunity to test their breach response processes and engage with the ICO while the stakes were a little lower, which could also have led to the early jump in notifications.
Early figures suggest a further increase to 367 reports in April, 657 in May and 1,792 in June 2018. This means that in June there were nearly eight times as many reports as in an average month in 2016-17. Heightened awareness is still likely to be one cause for this, but there is also probably a degree of over-reporting at this stage. Until organisations get a feel for what the ICO considers to be a sufficiently serious breach to require reporting it is safer to report and hope that the ICO takes no further action, than to not report and risk criticism for that decision at a later stage. An additional reason which may lie behind over-reporting is that individuals are also more aware of data protection issues as a result of the publicity around GDPR. We have advised on incidents arising from data subject complaints relating to instances we considered to be non-reportable, where a voluntary report was made to pre-empt a notification being made by the individual.
Although between 60 and 70% of the reports in the period covered by the annual report resulted in no further action, this proportion is reducing, and it is becoming more common for the ICO to require action from the data controller as a result of a notification. Even if no further action is taken, typically the ICO will retain a record of the incident on file and refer to it if future issues arise relating to the same organisation. For the remainder of reports there were a range of outcomes from requiring a specific action through to fines, and at this stage appropriate engagement with the ICO can be crucial to maximise an organisation’s chances of receiving one of the lighter touch outcomes.
The statistics show that the vast majority of self-reported incidents come from the health sector, followed by education and local government. Other sectors making significant numbers of reports include the legal profession, charities, financial advisors and lenders. These sectors are likely to have a higher than average awareness of data protection issues so again, the figures may reflect a higher likelihood of a breach being reported rather than there being more breaches in this sector.
ICO Engagement with Data Subjects
One surprising statistic coming out of the report is that the majority of calls to the advice line come from individuals rather than businesses. Given that the ICO has introduced a new phone line to give advice about GDPR preparation, we would have expected the proportion of calls from businesses to be higher than 32%. Although there were 235,672 calls to the helpline, only 21,019 “data protection concerns” were received which indicates that a significant proportion of the ICO’s work continues to be advice and guidance rather than investigation and enforcement.
There is also a striking disparity between the number of self-reported incidents (3,311 in 2017-18) and the number of concerns raised by the public (21,019 in the same period). Around 40 per cent of these relate to subject access requests which has historically been the key issue which individuals are aware of when it comes to data protection. This is likely to continue to be a high profile issue but it will be interesting to see the number of complaints arising in future in relation to other new data subject rights or the legitimacy of data processing, both of which have been the focus of commentary in recent months.
It is unsurprising that around 30% of complaints result in no action for the data controller as sometimes complaints to the ICO will not be valid or worthy of further investigation. Organisations may not ever know that these complaints have been made against them. In addition, around 3% do not raise Data Protection Act issues. However, the report indicates that there is then a wide range of outcomes including requiring action, giving advice to the data controller, and agreeing an action plan. These outcomes all involve the ICO working with organisations to explain how to improve their data handling and the data controller then implementing action points and together amount to around 35% of cases. Cases which result in a financial penalty are a small proportion of the total and often involve either a major breach or a failure to engage with the investigation. Therefore, as with data breaches, engaging constructively with the ICO is critical at this stage in order to achieve the desired outcome.
The report also gives an indication of the number of complaints made about marketing and cookies under the Privacy and Electronic Communications Regulations (PECR). The volumes are much higher than data protection complaints although this is the only area of the ICO’s workload where there has been a decrease in the number of concerns reported in the last year. The majority of complaints relate to telesales calls and it is likely that the ICO receives multiple complaints about specific companies. The report does not indicate the way in which these concerns are resolved although a large proportion of the ICO’s monetary penalties relate to marketing calls so it is likely that this is a more likely outcome for this type of complaint.
We also expect the number of concerns in this category to rise, not only due to GDPR and the tightening of the rules around consent, but also because PECR is likely to be replaced by a new regulation in the near future and this may lead to increased awareness of the issue.
By Helen Goldthorpe, Senior Lawyer, Shulmans LLP
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.