The end of November 2018 marks the 6-month anniversary of GDPR and, while 6 months is a fairly short period of time, it is enough to start to get an idea of what sort of impact GDPR is having and how the ICO is managing it. Here are three key points we’ve observed about GDPR so far.
Between 25th May and 3rd July last year, the ICO received an eye-watering 6281 self-reported cases of data breaches, which is 160% more than the same period in 2017, when they received “just” 2417. There are two explanations for this. One is that data breaches have become more frequent and the other is that the fact that it is now mandatory to report a data security breach means that the true extent of data security violations is now coming to light.
Quite possibly a combination of both factors is at work.
In a press statement, Peter Goodman, the national policing lead on cybercrime, stated that the police would not necessarily report data security breaches to the ICO although they hoped that the ICO would report data security breaches to the police. According to Goodman, the police had an agreement in place with the ICO that allowed this. While it’s easy to see why this makes sense from the perspective of getting companies to report data breaches to the police, it flies straight in the face of the GDPR reporting requirement. The fact that the police made this statement has to raise questions about just how effective the ICO is being in ensuring that all data breaches are, in fact, reported as they should be.
While GDPR does offer the ICO the option to impose significant fines, it’s still very much an open question as to how this will work in practice. First of all, it’s worth noting that the ICO has traditionally had a fairly light touch when it comes to fines. In the 12 months up to 31st March 2018, the ICO only levied financial penalties in 0.3% of the cases reported, whereas in 60% of cases reported it took no further action at all. And even though data from law firm RPC indicates that there has been a 24% increase in fines levied by the ICO in the year ending September 30th 2018 as compared to the same period the previous year (£4.98M up from £4M), how much of this was due to GDPR is still questionable since investigations of serious data breaches take time. For example, Equifax and Facebook were both recently fined by the ICO, but the offences in question took place at a time when the old DPA was still in force so the ICO could only levy the previous maximum fine of £500K each. The increase could, therefore, simply be a result of increased instances of data breaches (and/or more serious breaches).
An important secondary point is that, at this point, fines can only be levelled against companies and so, if a company is dissolved, its liability dissolves with it. For this reason, the UK government is currently debating whether or not the ICO should have the power to impose personal fines on directors, senior officers and partners.
Rather than letting themselves be a soft target for cyber criminals, third-sector organisations have an obligation to protect the data of their supporters, partners and service users, and to keep financial details safe from prying eyes and sticky fingers.
Many of these organisations would benefit from specialist training so that they fully understand the issue. They may think they are too small to be targeted, but attackers do not necessarily agree, and protection must be in place if organisations are to remain secure. Recruiting a third-party organisation that specialises in cyber security is an effective measure, when specialist knowledge and skills are required.