GDPR era heralds new peak in number of data breach whistleblowers

The number of whistleblowers lifting the lid on data breach events has tripled in the time since May 25th 2018, when the EU’s General Data Protection Regulation came into force, the Financial Times online reports.

The Information Commissioner’s Office (ICO), which is the regulatory body for the GDPR in the UK, has received an escalating number of confidential reports on the issue, as illustrated by new data that reveals rising anxiety among the public regarding cyber security and privacy online.

Analysis conducted by law firm RPC found that over the summer months of this year, the ICO received reports of potentially undisclosed data breaches from 82 people, a figure that clocked just 31 for the three months leading up to the end of April.

The leap represents a rise of nearly three times in the number of data breach reports since GDPR first began to bear its teeth in late May. As companies around the world prepared for the new legislation in the years and months leading to May 25th 2018, momentum to become more compliant was increased through the new laws’ headline penalties.

Companies guilty of a data breach can be liable to face fines of up to €20m or 4% of annual turnover, whichever is greater. The penalties are a marked increase on the £500,000 maximum that could be leveraged against guilty firms under the previous legislation, the Data Protection Act 1998.

But the number of high-profile hacks, data breaches and intrusions throughout 2018 demonstrates that organisations are having difficulty finding their way on the journey towards GDPR compliance.

Just last month, Marriott International became one more in a long list of global names to fall foul of poor data management, when the group disclosed that almost half a billion account holders on its Starwood database may have had their private details compromised.

That the iconic hotel brand failed to report this, the largest hack in corporate history, within the stipulate 72 hours of its discovery, will serve as a severely aggravating factor in whatever penalties are to be meted out.

Last week, the Irish Data Protection Commission (IDPC) announced that it would be launching a fresh investigation into Facebook, following the social network’s announcement that yet another data leak has led to the private photos of potentially millions of users being put into the public domain.

Indeed, the ICO has welcomed whistleblowers providing more insight into data breaches, ever since at least four individuals supplied crucial information following the Facebook / Cambridge Analytic scandal which has the potential to shake the very foundations of democracy itself.

Richard Breavington, partner at RPC said:

“In recent years, data protection has become a major concern not just of government and regulators, but also the general public. It is not just disgruntled employees who act as whistleblowers, but genuinely concerned individuals.”


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.