ICO reveals fivefold increase in personal data breach reports

The Information Commissioner’s Office (ICO) has revealed a big rise in the number of self-reported personal data breach notifications in the first full month following the introduction of the new General Data Protection Regulation (GDPR).

During a webinar for data controllers posted on the ICO website, Laura Middleton, head of the ICO’s personal data breach reporting team revealed there were 1,792 personal data breaches notified to the ICO in June, following the introduction of the GDPR on 25 May 2018. This was a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase versus April when there were just 367 notifications.

The sectors which accounted for the highest number of self-reported data breaches were the health, education, general business, solicitors and barristers, and local government sectors, according to the ICO.

Last year, the number of self-reported data breaches increased by 29 per cent from 2,447 in 2016-17 year to 3,156 in 2017-18 according to the ICO’s annual report.

The GDPR places new obligations on employers to self-report qualifying personal data breaches to the ICO within 72 hours of a breach becoming known.

Breaches can typically be of electronic records but they can also cover paper records and other media. In addition to confidentiality breaches to personal data, qualifying breaches can also include incidents of unauthorised or accidental alteration to data, or accidental or unauthorised loss off, access to, or destruction of, personal data.

David Morris, a technology risk assurance director at RSM said: ‘By the ICO’s own admission, they were expecting a significant rise in the self-reporting of personal data breaches following GDPR and the early indications are they haven’t been disappointed. 

‘This increase doesn’t necessarily mean that more data breach incidents are occurring. It’s more likely that the reporting of issues will now be more accurate as a result of the new rules. The increase may also reflect that organisations have understood the importance of the compliance work that they have been doing to prepare for GDPR and the need for the new procedures that they have spent many hours implementing.

‘Organisations that suffer a qualifying personal data breach have just 72 hours to notify the ICO and provide an assessment of the risks involved to the individuals whose data has been compromised. They are also obliged to set out what actions they propose to take to mitigate the loss and prevent it happening again.

‘The message from the ICO seems to be that organisations need to get better at recognising what type of breaches are reportable, and to carry out a full risk assessment in order to be able to make a full disclosure within the 72-hour deadline. This is a big culture change for organisations aiming to meet their GDPR compliance obligations.’