Companies “over-reporting” data breaches as ICO takes 500 calls per week

Regulator reveals myths around GDPR fines and data breach reporting are still widespread three months in

The exterior of the building used by the Information Commissioner's Office (ICO)

The Information Commissioner's Office (ICO) revealed it has been receiving 500 reports by telephone per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data incident.

ICO deputy commissioner James Dipple-Johnstone revealed that misconceptions are still commonplace among organisations more than three months after GDPR came into force, leading to a large number of needless calls to the regulator.

Speaking at the Confederation of British Industry's (CBI's) fourth annual Cyber Security Conference, he added that one mistake many businesses make is to believe that the mandatory reporting period is 72 'working' hours, whereas, in reality, this is 72 hours from the point of discovery.

Many reports the ICO receive are also incomplete, and many tend to "over-report" due to an inflated desire to be transparent, because organisations want to manage their perceived risk, or just think they need to report everything.

The update comes a fortnight after the law firm EMW obtained figures via a Freedom of Information (FOI) request that showed the number of the complaints between 25 May and 3 July this year climbed to 6,281 versus just 2,417 during the same period last year.

"We understand this will be an issue in the early months of a new system," Dipple-Johnstone continued, "but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold."

In addition to the update, the ICO was keen to allay any fears that regulator was trigger-happy when it came to issuing fines.

"The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance," he said.

"For every investigation which ends in a fine, we have dozens of audits, advisory visits and guidance sessions. That is the real norm of the work we do."

Although fines of 20 million (or 4% of global annual turnover) are on the table under GDPR, the ICO has repeatedly said in the past it would not simply scale up the 500,000 maximum fine under the Data Protection Act 1998.

Dipple-Johnstone added that businesses that take their data protection responsibilities seriously "have nothing to fear from an ICO inspection or investigation".

Where headline-grabbing fines may be issued are instances where organisations show poor board-level awareness, have incomplete or missing records, have not trained staff, and have continuously deferred security investment among other factors. In fact, in the three months since GDPR, the ICO said it had already found evidence in some reports of a lack of preparation, or an unwillingness on the part of senior leadership to disclose sensitive information to blame for uncooperative breach notifications.

Approximately half of the calls the ICO receives each week involve a cyber element, while a third have involve phishing attacks.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020