There has been a fivefold increase in the number of self-reported personal data breach notifications in the first full month after the GDPR came into force, the Information Commissioner’s Office has revealed.
During a webinar for data controllers, Laura Middleton, head of the ICO’s personal data breach reporting team, revealed there were 1,792 personal data breaches notified to the ICO in June.
This was a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase versus April when there were just 367 notifications.
The sectors which accounted for the highest number of self-reported data breaches were the health, education, general business, solicitors and barristers, and local government sectors, according to the ICO.
“By the ICO’s own admission, they were expecting a significant rise in the self-reporting of personal data breaches following GDPR and the early indications are they haven’t been disappointed,” said David Morris, a technology risk assurance director at RSM.
“This increase doesn’t necessarily mean that more data breach incidents are occurring. It’s more likely that the reporting of issues will now be more accurate as a result of the new rules.
“The increase may also reflect that organisations have understood the importance of the compliance work that they have been doing to prepare for GDPR and the need for the new procedures that they have spent many hours implementing.”
The GDPR places new obligations on employers to self-report qualifying personal data breaches to the ICO within 72 hours of a breach becoming known.
Breaches can typically be of electronic records but they can also cover paper records and other media. In addition to confidentiality breaches to personal data, qualifying breaches can also include incidents of unauthorised or accidental alteration to data, or accidental or unauthorised loss off, access to, or destruction of, personal data.
Morris added: “The message from the ICO seems to be that organisations need to get better at recognising what type of breaches are reportable, and to carry out a full risk assessment in order to be able to make a full disclosure within the 72-hour deadline.
“This is a big culture change for organisations aiming to meet their GDPR compliance obligations.”