UK Organisations Report Four Times More Breaches Than Closest EU Country

The Information Commissioner’s Office (ICO) have received over 16,000 data breach notifications since GDPR came into force in May 2018.

According to data released by law firm, Pinsent Masons, since May 25 of last year, the ICO have been busy processing in excess of 43 data breach notifications each day.

The UK’s monthly average of 1,276 reports to the ICO considerably top the European league table for reported incidents. France are the closest with a monthly reporting rate of 307 incidents, followed by Italy with 170 and Spain with only 94 reports per month.

The UK’s reporting figures have now quadrupled since the reporting rate in the year before GDPR’s implementation.

Similarly, as the public have been made more aware of protecting their personal information, the number of complaints being made to the ICO has doubled to 41,054 in the past year.

The increase in reporting highlights a clear cultural shift in disclosing data breaches following the new regulations that were brought into force last year.

A recent Freedom of Information (FoI) request found that law firms were amongst the quickest organisations to react and report data breaches to the Information Commissioner’s Office (ICO) prior to GDPR.

According to the FoI request, obtained by Pen-testing firm Redscan, too many organisations ignored the 72-hour limit to disclose a breach to the UK’s watchdog, the ICO. In fact, only 45 organisations would have been compliant under the current regulations.

Up to the end of the financial year of 5 April 2018, the ICO received 181 reports that a data breach had taken place. Of the law firms that reported breaches during this time, the 20 days it took to contact the ICO was amongst the fastest of any business type; second only to the financial services’ 16 days of deliberations before the ICO were notified.

In comparison, the average business took three weeks (21 days) to report a data breach following a cyber attack. One firm, either unaware of the data breach that had occurred within their business, spent over three years fretting before eventually disclosing the breach after 1,320 days.

Some have claimed that UK organisations may be moving too far in the opposite direction by reporting incidents that may not require notification to the regulator. Whilst a fear of ICO sanctions and fines will continue to prompt a report to the regulator, it is thought that the excessive reporting will calm down in due course.

Kingsley Hayes, Managing Director at Data Breach and Cyber Security Specialist Hayes Connor Solicitors, said:

“The figures are not surprising as the introduction of GDPR has both increased the focus on, and awareness of, data protection. More consumers are well versed in their rights and the value, and potential vulnerability, of their personal information.

“GDPR is still relatively in its infancy with evidence that more organisations are investing in both preventative technological measures and staff training to enhance their ability to protect customers’ personal data. The ICO is yet to deliver its first data breach verdict, and potential first fine, since GDPR.”

Stuart Davey, of Pinsent Masons, said:

“The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage.

“As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.

“However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting.

“Things may settle down, but a large GDPR fine in the meantime may add a new dynamic.”

Are UK organisations becoming overly cautious in their reporting of data breaches? Do we need further guidance on when to report a data breach? Is it worrying that the UK’s European counterparts are so far behind?