GDPR - 72 hour reporting window, a lack of detailed guidance and a fear of fines leads to ICO bombardment as organisations notify the regulator "just in case"

13 Jun 2019 | 01:20 pm | 2 min. read

The first year of the General Data Protection Regulation (GDPR) together with the narrow reporting window, lack of detailed regulatory guidance and threat of multi-million pound fines within this, has changed the risk environment for organisations and has led to a dramatic increase in data breach notifications to the ICO, suggests a new report by Pinsent Masons, the international law firm.

In the 9 months from the implementation of GDPR (25 May 2018 – 25 February 2019) the ICO received a total of 11,562 notifications. A spike in notifications was seen almost immediately post GDPR, with a nearly five-fold increase from April 2018 (under 400 notifications) to June 2018 (over 1,700 notifications). 

  • Reporting to the Information Commissioner's Office (ICO) increased by nearly five-times between April 2018 and June 2018
  • UK notifications to the ICO substantially higher than most other EU jurisdictions
  • ICO now dealing with an average of 1,276 notifications per month 

Based on figures provided to Pinsent Masons, the ICO is now receiving a monthly average of 1,276 notifications (43 notifications per day), a figure significantly higher than most other EU jurisdictions. Three of the EU's other largest economies reported breach notification figures significantly lower than in the UK,  with France, Italy and Spain reporting figures equating to monthly averages of 307, 170 and 94 respectively.

In addition, data from the ICO shows that, cumulatively, in the first nine months following GDPR the regulator closed down 7,771 maters as requiring no further action, a figure representing 66% of the incidents being reported to its office as personal data breaches over the same period. The data also shows that, following GDPR, the ICO did not start to close down on a monthly basis more incidents than were being reported, until December 2018.     

However, a number of EU Data Protection Authorities closed down significantly less with Ireland, Portugal and Spain concluding less than 10% of the total matters being reported in the same time frame and showing significant backlogs across EU DPAs.

Stuart Davey, Senior Associate in Pinsent Masons' Cyber Practice commented, "The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR.

"There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine.

"However, as our report explores, not all security incidents require notification to the regulator.

"We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic."

Freya Ollerearnshaw, Associate in Pinsent Masons' Cyber Practice added, "The high levels of reporting of personal data breaches under GDPR mean that the ICO is facing a backlog in dealing with notifications. This may result in organisations waiting longer to receive final decisions. However, we have seen that the ICO appears to have gone through an adjustment period and is now starting to close down more notifications than it is receiving.

"Other EU DPAs are closing down a significantly lower proportion of notifications. We have seen data protection authorities across Europe getting used to the new regulatory regime during the past 12 months. However, it is very interesting to see the comparison in the data between different European jurisdictions in terms of the number of personal data breach notifications."

Key Contacts

Latest press releases

Show me all press releases

Pinsent Masons advises NTR plc on 54MW portfolio of co-located solar and battery storage projects in Ireland

Multinational law firm Pinsent Masons has advised NTR PLC on the acquisition of a 54MW portfolio of co-located solar and battery storage projects in County Wexford, Ireland, from renewable energy developer RES.

Pinsent Masons advises on Four Seasons Care Homes portfolio migration

Multinational law firm Pinsent Masons has advised propco investor LDC Care Homes and its asset and investment manager Elevation Advisors on the migration of a care homes portfolio from Four Seasons Health Care Group (FSHC) to new operators.

Pinsent Masons advises Teva Pharmaceuticals on €84m sale of its consumer healthcare brand portfolio to Karo Pharma AB.

Multinational law firm Pinsent Masons has advised Teva Pharmaceuticals’ subsidiary, Actavis Group PTC, on the successful €84m sale of a suite of consumer healthcare products to Karo Pharma AB (Karo).

People who viewed this press release also viewed

Show me all press releases

Pinsent Masons wins at the Asian Legal Business Hong Kong Law Awards

Pinsent Masons was named Construction Law Firm of the Year and Energy and Resources Law Firm of the Year at the Asian Legal Business Hong Kong Law Awards, which was held virtually on 27 November 2020.

Pinsent Masons rolls out the Mindful Business Charter in the Middle East to promote mental health and wellbeing

Pinsent Masons has rolled out its Mindful Business Charter across its business in the Middle East. It adopts and promotes a culture of openness about mental wellbeing and encourages working arrangements that will reduce the unnecessary causes of stress and pressure in the workplace thereby ensuring higher team performances.

Information and data privacy law partner hired in London

Multinational law firm Pinsent Masons has hired partner Jonathan Kirsop as a key addition to its leading data privacy and information law offering.

For all media enquiries, including arranging an interview with one of our spokespeople, please contact the press office on

+44 (0)20 7418 8199 or 

Location contacts