A new report by Pinsent Masons, featuring data gathered from the UK Information Commissioner’s Office (ICO), Action Fraud and data protection authorities across Europe, highlights the issue and its impact on the caseload of the regulators.
Figures show that since the GDPR took effect on 25 May 2018, the ICO has received a monthly average of 1,276 data breach notifications – 43 notifications per day. Three of the EU’s other largest economies reported significantly lower breach notification figures, with the monthly average in France, Italy and Spain being 307, 170 and 94, respectively.
A separate report by the ICO revealed it had received around 14,000 personal data breach reports from organisations between 25 May 2018 and 1 May 2019. By way of comparison, it received approximately 3,300 personal data breach reports in the year ending 31 March 2018. Under GDPR, organisations are obliged to report certain personal data breaches to data protection authorities (DPAs) and affected individuals. A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Organisations must report to DPAs personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. Where there is a high risk to the data subject, then the data subjects must be informed directly without undue delay.
The ICO said that more than 82 per cent of the personal data breaches reported to it since the GDPR has taken effect “required no action”. The watchdog highlighted the problem of “over-reporting” last year.
This can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help assess whether the reporting threshold has been met, which means it is often difficult for data controllers to make a finding at such an early stage. Many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a fine.
However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another 12 months will have. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic.
Our report flagged the impact that the GDPR’s introduction of a general data breach reporting requirement has had on data protection authorities’ caseload. It took the ICO until December 2018 before it began to close down data breach cases faster than they were being reported to it.
The high levels of reporting of personal data breaches mean that the ICO is facing a backlog in dealing with notifications. This may result in organisations waiting longer to receive final decisions. However, we have seen that the ICO appears to have gone through an adjustment period and is now starting to close down more notifications than it is receiving.
Other EU DPAs are closing down a significantly lower proportion of notifications. We have seen data protection authorities across Europe getting used to the new regulatory regime during the past 12 months, however, it is very interesting to see the comparison in the data between different European jurisdictions in terms of the number of personal data breach notifications.
- Stuart Davey, senior associate, Pinsent Masons