On 12 September 2018, the UK Deputy Information Commissioner, James Dipple-Johnstone, made a speech to the CBI Cyber Security: Business Insight Conference in which he discussed recent data breach reporting trends in the UK.

The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to its breach reporting line. After a discussion with the ICO’s officers, roughly one third of these organisations decide that their breach does not meet the reporting threshold. The Irish Data Protection Commission has also been reported as having received a massive increase in breach notifications since the introduction of the GDPR.

Key trends in the UK

The Deputy Commissioner outlined key trends regarding breach reporting under the GDPR, including:

  • Organisations are struggling with the 72 hour time-limit to report data breaches to the data protection authority. Organisations must remember that it is not 72 working hours, the clock starts ticking from the moment you become aware of a breach.
  • Some reports are incomplete. Whilst the ICO accepts that organisations may not have all information to hand within 72 hours, people with suitable seniority and clearance should be available to talk to the ICO and indicate when the rest of the information will be provided. If adequate resources are not assigned to managing the breach, the ICO will question why not.
  • Some controllers are over-reporting, in an effort to be transparent and manage their perceived risk or because they think that everything needs to be reported. The ICO will discourage this once the new breach reporting threshold has become more familiar. Organisations are not required to notify the data protection authority if the breach is “unlikely to result in a risk to the rights and freedoms” of the affected data subjects. (The Irish Deputy Irish Data Protection Commissioner, Anna Morgan, has also warned against over-reporting – see our previous blog ).

Like the Irish Data Protection Commission, the ICO has not yet issued any fines under the new regime. However, the ICO is currently investigating a data breach by British Airways, in which a hacker is alleged to have stolen credit card data associated with the purchase of 380,000 airline tickets. In addition to a potential administrative fine being imposed by the ICO, British Airways faces possible compensation claims from individuals adversely affected by the breach. The airline has already promised customers that it will reimburse them for any fraudulent losses experienced as a result of the breach, however a UK law firm is reportedly threatening to launch a group action, the British version of a class-action lawsuit, unless British Airways also agrees to settle compensation claims for inconvenience and distress suffered by individuals as a result of the breach.

In regard to the level of fines that may be levied under the GDPR for data breaches, the Deputy Commissioner has indicated that if organisations take their responsibilities under the GDPR seriously, adopt a privacy by design approach to data protection, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for employee and customer data, then the ICO will not usually have an issue with the organisation should the worst happen.

In regard to high fines imposed on large corporates by the ICO under the old Data Protection Act 1998, the Deputy Commissioner noted that a common thread ran through these, including:

  • Poor board level awareness of the risk to the organisation
  • Incomplete or missing corporate records including third party or inter-group contracts and policies
  • Lapsed staff training
  • Policies repeatedly not followed
  • Understanding the data protection risks of your supply chain or outsourced providers
  • Investment in security deferred
  • Poor data governance (particularly in test or product development environments)
  • Staff work arounds compromising security systems because the agreed way of working is not the easiest way of working, and
  • Obvious misconfiguration of systems leaving them open to long-known vulnerabilities.

Accordingly, organisations should be able to mitigate the risk of hefty fines for a data breach by ensuring they have a good data governance system in place, and can demonstrate to the data protection authority that they have been taken all appropriate measures to meet their data protection obligations.

The Irish Data Protection Commission has published new guidance on data breach reporting under the GDPR, available here.