Self-reporting to ICO soars as GDPR warnings hit home

DataIQ News

Most companies may still be on the road to GDPR compliance, but one of the measures is certainly sinking in after the Information Commissioner's Office (ICO) has revealed a big rise in the number of self-reported personal data breach notifications since the regulation came into force on May 25.

During a webinar for data controllers posted on the ICO website, the head of the regulator's personal data breach reporting team Laura Middleton revealed there were 1,792 personal data breaches notified to the ICO in June alone. This represents a 173% rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when there were just 367 notifications.

The sectors which accounted for the highest number of self-reported data breaches were health, education, general business, solicitors and barristers, and local government.

Last year, the number of self-reported data breaches increased by 29% from 2,447 in 2016-17 year to 3,156 in 2017-18, according to the ICO's annual report.

GDPR places new obligations on employers to self-report qualifying personal data breaches to the ICO within 72 hours of a breach becoming known.

Breaches can typically be of electronic records but they can also cover paper records and other media. In addition to confidentiality breaches to personal data, qualifying breaches can also include incidents of unauthorised or accidental alteration to data, or accidental or unauthorised loss off, access to, or destruction of, personal data.

RSM technology risk assurance director David Morris said: "By the ICO's own admission, it was expecting a significant rise in the self-reporting of personal data breaches following GDPR and the early indications are it hasn't  been disappointed."

However, Morris is quick to point out that the increase does not necessarily mean that more data breach incidents are occurring, arguing that it is more likely that the reporting of issues will now be more accurate as a result of the new rules.

"The increase may also reflect that organisations have understood the importance of the compliance work that they have been doing to prepare for GDPR and the need for the new procedures that they have spent many hours implementing," he added. "The message from the ICO seems to be that organisations need to get better at recognising what type of breaches are reportable, and to carry out a full risk assessment in order to be able to make a full disclosure within the 72-hour deadline. This is a big culture change for organisations aiming to meet their GDPR compliance obligations."