The introduction of the General Data Protection Regulation (GDPR) one year ago, together with the narrow reporting window, lack of detailed regulatory guidance and threat of multi-million pound fines within this, has changed the risk environment for organisations and led to a dramatic increase in data breach notifications to the ICO, suggests a new report by law firm Pinsent Masons.

In the nine months from the implementation of GDPR (25 May 2018 – 25 February 2019) the ICO received a total of 11,562 notifications. A spike in notifications was seen almost immediately post GDPR, with a nearly five-fold increase from April 2018 (under 400 notifications) to June 2018 (over 1,700 notifications). Reporting to the Information Commissioner's Office (ICO) increased by nearly five-times between April 2018 and June 2018.

Based on figures provided to Pinsent Masons, the ICO is now receiving a monthly average of 1,276 notifications (43 notifications per day), a figure significantly higher than most other EU jurisdictions. Three of the EU's other largest economies reported breach notification figures significantly lower than in the UK, with France, Italy and Spain reporting figures equating to monthly averages of 307, 170 and 94 respectively.

In addition, data from the ICO shows that, cumulatively, in the first nine months following GDPR the regulator closed down 7,771 matters as requiring no further action, a figure representing 66% of the incidents being reported to its office as personal data breaches over the same period.

Stuart Davey, senior associate in Pinsent Masons' cyber practice, said that the spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR, but he added: "There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine. However, not all security incidents require notification to the regulator.

"We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic."

Share Story: