Fresh evidence that the Information Commissioner’s Office is one of the busiest regulators in the EU has emerged with new figures showing it has received over 40 data breach notifications every day since May 25 2018, with a monthly average of 1,276 cases.
A new report issued by Pinsent Masons, using information gathered from the ICO, Action Fraud and data protection authorities across Europe, shows three of the EU’s other largest economies - France, Italy and Spain - reported significantly lower figures with the monthly average being 307, 170 and 94 respectively.
A separate recent report issued by the ICO revealed that it had received around 14,000 personal data breach reports from organisations between GDPR D-Day and May 1 this year.2019. In sharp contrast, the ICO said it had received around 3,300 personal data breach reports during the year ending 31 March 2018.
Under the GDPR, organisations are obliged to report certain personal data breaches to Data Protection Authorities and affected individuals. A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Organisations must report personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In addition, where there is a high risk to the data subject, then the data subjects must be informed directly without undue delay.
The ICO said that more than 82% of the personal data breaches reported to it since GDPR came into effect “required no action from the organisation”. The watchdog highlighted the problem of “over-reporting” last year.
Pinsent Masons senior associate Stuart Davey warned that this is having a knock-on effect. He said: "The high levels of reporting of personal data breaches under GDPR mean the ICO is facing a backlog in dealing with notifications. This may result in organisations waiting longer to receive final decisions."