The United Kingdom’s Information Commissioner’s Office (ICO) has been receiving 500 calls pertaining to data breaches since the European Union’s General Data Protection Regulation (GDPR) took effect.
Speaking before hundreds of senior business leaders at the Confederation of British Industry’s (CBI’s) fourth annual Cyber Security Conference, ICO deputy commissioner James Dipple-Johnstone revealed that of the 500 breach-related calls received weekly by the Office, a third of them aren’t warranted or pertain to events that don’t qualify as data security incidents.
All of these unnecessary reports could be an indication that organizations are eager to comply. Dipple-Johnstone clarified that many of the reports tend to “over-report” the details of a perceived security incident. He attributed this phenomenon to organizations’ desire to manage their risk or a prevailing perception that they need to report everything, reported ITPro.
Despite these attempts to maintain transparency, some companies failed to comply with the ICO’s reporting requirements. Dipple-Johnstone explained that some of the data breach reports received by the Office were incomplete. In other notices, organizations mistook the mandatory reporting period of 72 hours as 72 “business” hours, not three consecutive days from the moment of discovery.
These findings came at around the same time that cloud and data firm Talend disclosed a majority of organizations’ failure to comply with certain elements of GDPR. Specifically, it found that just 35 percent of EU-based companies were fulfilling subject access requests (SARs) filed by customers looking to access their data held by controllers within the legal time frame. Outside of Europe, only a half of organizations were meeting those deadlines.
Dipple-Johnstone said the ICO will be working with organizations to help them with their data protection efforts going forward. He also made a point of indicating how the ICO doesn’t always issue fines following an investigation into a potential data security incident. As quoted by ITPro:
The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have dozens of audits, advisory visits and guidance sessions. That is the real norm of the work we do.
Data protection goes beyond implementing security technologies like encryption and machine learning. It also involves investing in those who use those solutions.