GDPR rules prompt spike in data breach notifications

Notifications of data breaches to the Information Commissioner’s Office (ICO) have rocketed in the first year of new reporting rules following the introduction of the General Data Protection Regulation (GDPR)

Tight timescales, a lack of detailed regulatory guidance and the threat of multi-million pound fines have fuelled the increase, according to research by law firm Pinsent Masons. In the first nine months since the implementation of GDPR in May 2018, the ICO received 11,562 notifications.

A spike in notifications was seen almost immediately post GDPR, with an almost five-fold increase from April 2018 (under 400 notifications) to June 2018 (over 1,700 notifications).

Based on figures provided to Pinsent Masons, the ICO is now receiving a monthly average of 1,276 notifications (43 notifications per day), a figure significantly higher than most other EU jurisdictions. Three of the EU’s other largest economies reported breach notification figures significantly lower than in the UK, with France, Italy and Spain reporting figures equating to monthly averages of 307, 170 and 94 respectively.

In addition, data from the ICO shows that, cumulatively, in the first nine months following GDPR the regulator closed down 7,771 requests as requiring no further action, a figure representing 66% of the incidents being reported to its office as personal data breaches over the same period.

The data also shows that, following GDPR, the ICO did not start to close down on a monthly basis more incidents than were being reported, until December 2018.

However, a number of EU data protection authorities (DPAs) closed down significantly less, with Ireland, Portugal and Spain concluding less than 10% of the total matters being reported in the same time frame and showing significant backlogs across EU DPAs.

Stuart Davey, senior associate in Pinsent Masons’ cyber practice, said: ‘The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR.

‘There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.’

Accountancy Daily