July 31, 2018 : ICO reveals self reported data breaches increasing.
According to the Information Commissioner’s Office (ICO), the number of self-reported personal data breaches has risen significantly since the GDPR became law on May 25th. However, this should come as no surprise considering the fact that most companies are still on the road to achieving GDPR compliance.
The head of the ICO’s personal data breach reporting team, Laura Middleton, has revealed that there were 1,792 personal data breaches reported to the ICO during the month of June. This figure represents a rise of 173% compared to the 657 notifications received in May. The equates to almost a fivefold increase compared to April, which saw just 367 notifications.
The highest number of self-reported data breaches increasing came from health, legal, education, general business, and local government sectors.
In 2017, the number of self-reported data breaches increased from 2,447 in 2016-17 to 3,156 in 2017-18, according to the ICO’s annual report. The GDPR brings new legal obligations on employers to self-report personal data breaches to the ICO within 72 hours of a breach occurring.
Typically, data breaches involve electronic records, but can also include paper records, as well as other media types. In addition to confidentiality breaches to personal data, qualifying breaches can also include incidents of:
- unauthorised or accidental alteration of data;
- accidental or unauthorised loss of data, or ;
- access to, or destruction of personal data
David Morris, risk insurance director at RSM technology said:
By the ICO’s own admission, it was expecting a significant rise in the self-reporting of personal data breaches following GDPR and the early indications are it hasn’t been disappointed.
However, Morris also remarked that the increase does not necessarily mean that more cases of data breaches are occurring, arguing it is likely that the new rules are making the reporting of breaches more accurate.
The increase may also reflect that organisations have understood the importance of the compliance work that they have been doing to prepare for GDPR and the need for the new procedures that they have spent many hours implementing.
The message from the ICO seems to be that organisations need to get better at recognising what type of breaches are reportable, and to carry out a full risk assessment in order to be able to make a full disclosure within the 72-hour deadline. This is a big culture change for organisations aiming to meet their GDPR compliance obligations.
The number of self reported Data Breaches increasing may signify that firms are taking notice of the warnings of potential penalties, and are earnestly working to achieving GDPR compliance.