Stuart Davey: GDPR data breach notifications in UK among highest in EU
Organisations operating in the UK are reporting data breaches in greater number than in many other parts of the EU and reported incidents have risen dramatically since the introduction of the General Data Protection Regulation (GDPR), writes Stuart Davey.
A new report issued by Pinsent Masons, featuring data gathered from the UK’s Information Commissioner’s Office (ICO), Action Fraud and data protection authorities across Europe, highlighted the issue and flagged the impact it is having on the caseload of the regulators.
Figures provided to Pinsent Masons show that since the GDPR took effect in May 2018, the ICO has received a monthly average of 1,276 data breach notifications – 43 notifications per day. Three of the EU’s other largest economies reported breach notification figures significantly lower than in the UK with the monthly average in France, Italy and Spain being 307, 170 and 94 respectively.
A separate recent report issued by the ICO revealed that it had received around 14,000 personal data breach reports from organisations between 25 May 2018, the date the GDPR became effective, and 1 May 2019. By way of comparison, the ICO said it had received approximately 3,300 personal data breach reports during the year ending 31 March 2018.
Under the GDPR, organisations are obliged to report certain personal data breaches to Data Protection Authorities (DPAs) and affected individuals. A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Organisations must report to data protection authorities personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In addition, where there is a high risk to the data subject, then the data subjects must be informed directly without undue delay.
The ICO said that more than 82 per cent of the personal data breaches reported to it since the GDPR has taken effect “required no action from the organisation”. The watchdog highlighted the problem of “over-reporting” last year.
The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.
However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic.
Our report flagged the impact that the GDPR’s introduction of a general data breach reporting requirement has had on data protection authorities’ caseload. It took the ICO until December 2018 before it began to close down data breach cases faster than they were being reported to it. However, there are significant backlogs across other EU data protection authorities, with watchdogs in Ireland, Portugal and Spain concluding less than 10 per cent of the total matters reported to them over the same time frame.
The high levels of reporting of personal data breaches under GDPR mean that the ICO is facing a backlog in dealing with notifications. This may result in organisations waiting longer to receive final decisions. However, we have seen that the ICO appears to have gone through an adjustment period and is now starting to close down more notifications than it is receiving.
Other EU DPAs are closing down a significantly lower proportion of notifications. We have seen data protection authorities across Europe getting used to the new regulatory regime during the past 12 months, however, it is very interesting to see the comparison in the data between different European jurisdictions in terms of the number of personal data breach notifications.
Stuart Davey is a senior associate at Pinsent Masons