General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response

Under GDPR, Data Breach Reports in UK Have Quadrupled

Privacy Regulator Sees 1,750 Breach Reports in June, Up From 400 in April

Self-reported data security incidents, March to June 2018. (Source: ICO)

The scale of data breaches in Europe is rapidly evolving past the "problem unknown" stage, thanks to the EU's General Data Protection Regulation, for which enforcement began on May 25 (see GDPR Enforcement Deadline: If You Blew It, What's Next?).

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

GDPR imposes a number of new requirements on organizations that handle personal information. But one of the biggest changes is that organizations must track all breaches, as well as report certain types of breaches to authorities "within 72 hours of becoming aware of the breach, where feasible," according to the Information Commissioner's Office, which is the U.K.'s data privacy watchdog and GDPR enforcer (see GDPR and the Next Generation of Privacy Legislation).

So it should be no surprise that the number of breach reports being filed to the ICO by organizations - based inside the U.K. and out - has already increased dramatically.

In both March and April, the total number of breaches reported to the ICO was about 400, according to data released by the ICO last week. But the number of breach reports climbed to about 700 in May and hit about 1,750 in June, the ICO says.

"June was the first full month with the GDPR in place, so it is unsurprising to see an increase in the number of personal data breaches reported to the ICO," attorney Anna Flanagan, who specializes in data protection law at Pinsent Masons, says in a blog post.

But the data does not reveal whether organizations are suffering more - or fewer - breaches than before. "It's important to note that while the number of reported breaches has increased, it does not necessarily mean the number of breaches has increased - just that more are being reported," says Brian Honan, who heads cybersecurity consultancy BH Consulting in Dublin, and who moderated a panel focused on complying with GDPR at the June Infosecurity Europe conference in London (see GDPR: UK Privacy Regulator Open to Self-Certification).

Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater.

But organizations that fail to comply solely with GDPR's reporting requirements face lesser fines - up to €10 million ($12 million) or 2 percent of annual global revenue.

Two Ways to Report Breaches

There are two ways to report breaches: via a dedicated telephone number or by using an online form.

In the U.K., organizations have two ways to report data breaches - using an online form, or by phone. The latter is best for organizations that need advice or which may be experiencing their first breaches, says the ICO's Laura Middleton.

"One of the benefits of reporting by phone is that we can hopefully gather all the information that we need from you to make a decision about what we need to do next and perhaps avoid follow-up correspondence, so potentially you can deal with it all in one conversation," Laura Middleton, who heads up the ICO's personal data breach enforcement team, said in a Thursday webinar.

Source: ICO

"Contacting us by phone is a good idea if you need advice about how to manage a breach or whether to tell data subjects, and it can be particularly helpful for organizations that are perhaps experiencing their first breaches and they're a little bit unsure about what to do," Middleton said.

Based on the first weeks of post-GDPR breach reporting, however, Middleton issued a reminder to organizations: Not all breaches need to be reported. An organization's data controller must determine whether a breach, indeed, is reportable under GDPR's requirements, she said. She urged organizations to make that decision rather than simply reporting everything in the interests of transparency, given the high volume of breach reports that the ICO has been receiving.

"Unsurprisingly, [the ICO] has noticed an increase in 'over reporting,' where controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don't meet the threshold for notification," says Pinsent Masons' Flanagan. "Data controllers should focus on maintaining their own internal record of data breaches that do not meet the notification threshold, with their reasoning as to why."

And she says organizations need to have detailed policies and procedures in place now to help data controllers best make those determinations going forward (see CISO Thom Langford's Top Tips for GDPR Compliance).

Organizations based outside the EU but which store or process Europeans' personal data must also comply with GDPR. If an organization suffers a breach that has exposed U.K. residents' personal data, then they need to report that to the ICO, regardless of where they're based, according to the regulator.

Deadline: 72 Hours to File Report

Middleton also reminded organizations that they have 72 hours to file a breach report. "The 72 hours isn't just to email or phone us" with a heads-up that the organization had suffered a breach, Middleton said, but rather to provide a report to the ICO including the details it specifies on its website.

Under GDPR, organizations must report a breach to the relevant authorities within 72 hours learning about it. In the U.K., those reports must include very specific details to be considered valid, says the ICO's Laura Middleton.

At the same time, Middleton urged organizations to not file a report immediately within the 72-hour time frame, but rather to first attempt to gather as much information as possible.

By way of example, she noted that a few weeks ago, a company reported to the ICO that it had lost some pay slips, only to follow up several hours later to say that they'd been found and were never actually lost.

"Rather than reacting so quickly to try and tell the ICO about it, that time perhaps would have been better spent just looking for the pay slips and satisfying yourself that they weren't actually lost," Middleton said.