The ICO has received 500 calls each week to its breach reporting helpline since the GDPR came into force in May, but around a third of these don’t meet the minimum threshold, according to the deputy commissioner of operations.
James Dipple-Johnstone told the CBI Cyber Conference in London this week that the UK privacy watchdog had been inundated as anxious firms over-report.
In the privacy watchdog’s first update since the new data protection regime came into force, he also revealed that many organizations are “struggling with the concept” of 72-hour breach notifications, interpreting it incorrectly as 72 “working hours.”
Dipple-Johnstone urged organizations to get their incident response plans in place and ensure senior employees are ready to provide as much detail as possible from the start, adding that some breach reports are incomplete.
He urged organizations to check the ICO’s reporting guidelines, and to ensure they have multi-layered security in place, including elements such as two-factor authentication, email filters and anti-spoofing controls, and enhanced staff training and awareness.