The impact of the General Data Protection Regulation ((EU) 2016/679) (GDPR) which came into force across all EU member states on 25 May 2018 has been assessed by the Information Commissioner’s Office (ICO) over the past 3 months. The results were announced by the ICO’s Deputy Commissioner for Operations on 12 September 2018 at the CBI Cyber Security: Business Insight Conference.

The assessment also looked at the impact of the Data Protection Act 2018 (DPA). The speech by the Deputy Commissioner outlined what action had been taken by the ICO and what the key data breach reporting trends were.

This is the first real assessment of data breaches since the GDPR and DPA came into effect. Since the 25 May 2018, the ICO has received around 500 calls each week to its breach reporting line. However, around one third of these calls were from organisations self-reporting breaches. The ICO’s view of the breaches is that they did not meet the reporting threshold.

The main trends identified include:

  • Organisations struggling to meet the 72-hour deadline for reporting a personal data breach with many forgetting that the deadline does not just apply to working hours;

  • Some reports not adhering to ICO guidance on what should be included with incomplete reports being sent. The ICO has reiterated that adequate resources must be assigned to managing breaches within organisations;

  • Some data controllers are over-reporting – although the ICO has given some leeway, they will discourage this once the new threshold has become more familiar.

A draft Regulatory Action Policy has been submitted to Parliament for approval, which sets out the ICO’s approach to monetary penalties. The guidance focuses on proportionality and the discretion of the ICO in relation to taking enforcement action including looking at factors such as, the nature and seriousness of the breach or potential breach and how many individuals it affects. To date, the ICO has not issued any fines under the new regime and its guidance confirms that fines will only be issued where the ICO considers it “effective, proportionate and dissuasive”. Despite the ICO’s conclusion that there has been over-reporting, it is worth noting that self-reporting is still encouraged as the ICO will look at the attitude of the organisation when considering whether to take any further action.