UK DPA (ICO) shares insight on data breach reporting requirements
The ICO said during a recent webinar that the number of breaches reported in June 2018 was around 1,750; more than four times the number reported in March and April 2018 and considerably more than the around 700 reported in May.
The ICO identified a number of interesting trends. Again, unsurprisingly, it has noticed an increase in 'over-reporting', where controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don't meet the threshold for notification. Data controllers should focus on maintaining their own internal record of data breaches that do not meet the notification threshold, with their reasoning as to why
This Data Breach Reporting webinar is aimed at Data Controllers and gave advice and guidance on how and when to report security breaches to the ICO.
It was a very useful snapshot of the breach reporting activity just before and post GDPR. It seems that organisations are over reporting because they are not properly risk assessing the impact of the breaches. Organisations could adopt a risk approach such as ENISA's Recommendations for a methodology of the assessment of severity of personal data breaches. See: https://www.enisa.europa.eu/publications/dbn-severity
Although this is a few years old, this is still relevant (perhaps more relevant) today. Most of these were probably swept under the carpet before, but all these incidents should be properly risk assessed in terms of their impact using an objective approach to decide the level where the breach is reportable.
Another interesting subject was that organisations are not reporting at the correct time, i.e. rushing to notify before full facts were known (the example of payroll being lost and found an hour later) or phoning the ICO on a Friday afternoon (leaving it until the last minute) when the phone lines seem to be busiest.
I'm sure this will settle down over time as we get used to the new landscape. It's definitely worth a view, if only to see this from the ICO's perspective.