Data breach notifications to ICO soar in GDPR era

AI

Data breaches are being reported more in the UK than in elsewhere in Europe, a study has found.

According to figures published by international law firm, Pinsent Masons, the Information Commissioner’s Office (ICO) has received an average of 1,276 data breach notifications each month since the implementation of the General Data Protection Regulation (GDPR).

The stats equate to around 43 data breach notifications being made to the UK regulator each day since May 25th 2018.

Behind the UK on the data breach notification league table are France, Italy and Spain, reporting 307, 170 and 94 data breach notifications each day respectively.

The report used data obtained by the ICO, Action Fraud and data protection authorities based across Europe. It illustrated the impact that data breach notifications are having on the workloads of respective regulatory bodies.

The GDPR obliges companies dealing with the data of EU residents to report breaches of personal and private information to the relevant regulator, and also to notify data subjects who may be adversely impacted by the breach.

Under the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Once a breach has been identified, victim companies must inform regulators (the ICO for UK-based organisations) “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

In another report published by the ICO, it was disclosed that around 14,000 personal data breach reports had been sent to the ICO between May 25th 2018 and May 1st 2019.

For the year ending March 31st, the ICO said that it received around 3,300 personal data breach reports.

Commenting on the findings, Stuart Davey of Pinsent Masons, said:

“The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage.

“As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.”

“However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting.

“Things may settle down, but a large GDPR fine in the meantime may add a new dynamic.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.