Key developments in 2019

In 2019 we expected to see the ICO catch up on data breaches reported under the new GDPR regime that came into force in July 2018. The ICO reported an unprecedented year in 2018/2019 with 13,840 personal data breach reports, an increase from 3,311 in 2017-18. This demonstrates the increased public awareness of data protection and aligns with the increased onus on organisations to be proactive in their approach to data processing. However, the ICO also closed 12,385 of these reports without any further action. This was frequently the result of the measures already in place or being taken as a result of the breach which highlights the importance of the initial breach response approach.

We saw an increased number of personal data breaches arising out of cyber incidents. The ICO received around 2,500 cyber security incident reports during 2018-19 with 44% of those incidents being the result of phishing attacks. This accords with the types of cases handled through our ReSecure breach response service. Recent reports from the Anti-Phishing Working Group also recorded a three-year peak in phishing attacks during 2019.

With the ICO's increased regulatory powers, it is ever more important for organisations to implement adequate security measures to try to prevent these attacks. Measures can include using multi factor authentication, rule alerts, suitable firewalls and e-mail scans. Also, the importance of training for staff can never be underestimated as it is the human element of these attacks which often makes them so successful.

We have also seen record breaking ICO fines. While our experience has tended to be that the ICO takes a reasonable approach in investigating breaches generally, the fines are a reminder of the teeth that the ICO has, where it chooses to use them.

What to look out for in 2020

The ICO are preparing for 2020 with an increase in their workforce. In 2019 this increased 40% from around 500 to around 700 permanent staff. This is expected to increase to around 825 by 2021 with a focus on the appointment of skilled staff able to deal with a wide range of technology issues and developments. This is in line with the ICO's Technology Policy and Innovation Directorate which is aimed at working closely and collaboratively with the technology industry as it influences the data protection landscape. It is yet to be seen how this will affect the ICO's approach to cyber breaches and technology implementation. There is expected to be a closer working relationship with the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) as more cyber incidents are reported.

This setting could well result in an increase in data breach litigation. On 4th October 2019, the High Court granted a Group Litigation Order paving the way for possible mass legal action by British Airways customers as a result of their data breach.

2020 will also see the Supreme Court review the Court of Appeal decision in WM Morrison Supermarkets Plc. The Court is being urged to overturn the ruling that found Morrisons to be vicariously liable for a data breach carried out by a disgruntled employee. The outcome of this decision will have significant implications for organisations processing personal data. It has also highlighted the growing potential exposures for data breaches as well as the increased importance of cyber insurance to cover these eventualities.