GDPR: more than 8,000 data breaches notified to ICO


More than 8,000 data breaches have been reported in the UK since the General Data Protection Regulation (GDPR) took effect in May, the information commissioner has said.06 Dec 2018 

Elizabeth Denham revealed the number in a speech in New Zealand earlier this week.

The GDPR began to apply on 25 May this year. It has introduced, for the first time, a general obligation on organisations to disclose when they have experienced a major personal data breach to data protection authorities, and in some cases to people potentially impacted by the breach too. Previously mandatory data breach notifications only applied in a select few sectors, such as telecoms and banking.

The GDPR obliges organisations to disclose any breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.

Denham said the GDPR had also sparked a rise in data protection complaints raised with her office.

Denham said: "It's just over six months since the new law came into effect across Europe bringing with it greater accountability, transparency and consumer control. As anticipated, I am seeing more of everything in the UK."

"More complaints from the public - from 9,000 to 19,000 in a comparable six month period. Complaints about subject access, data portability and data security. All of our front line services have jumped by at least 100%. More breach reports - over 8,000 since the end of May when it became mandatory in some high risk circumstances. And more stakeholder engagement as we work closely with organisations to advise on privacy risks from the outset," she said.

She said the introduction of the GDPR had served to raise the public's awareness of "the potential of their personal data". She said privacy and data security have "gone mainstream".

Denham said, though, that some aspects of the new legislation "need time to bed in". That includes rules on "algorithmic explainability, the detailed expectations in privacy by design, codes of conduct, extra territorial application and enforcement", she said.

Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind, said the new statistics from the ICO reveal that about 41 data breaches per day have, on average, been reported in the UK since the GDPR came into force.

"During a breach webinar in the summer, the ICO commented that it had seen instances of 'over reporting' - that is reporting issues which fell below the statutory threshold," Gillespie said. "However, it is clear that there is a limited timeframe to complete a risk assessment to determine whether an incident is reportable or not. This decision to report, of itself, is linked to 'accountability'; a fundamental principle within GDPR."

"In her speech, Elizabeth Denham said that 'if, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place - as required by law. As such, it is fundamental to GDPR compliance that businesses have suitable systems in place to understand when an incident has occurred, ensure the correct personnel are engaged and assess the risks of what has occurred; they will then be enabled to fully assess whether a notification to the ICO, and potentially also the data subjects, is required," Gillespie said.

A survey of 10,500 consumers around the world, including 1,000 in the UK, conducted earlier this year has highlighted the potential commercial implications for businesses that experience data breaches.

According to a new report by security provider Gemalto, 66% of consumers "would be unlikely to shop/do business with an organisation that experienced a breach where their financial and sensitive information was stolen".

The survey found that consumers are most likely to stop buying goods from retailers than any other type of company as a result of an online breach. Banks and social media companies are next most likely to see loss of business, Gemalto said.