Under the GDPR, organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals. A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
A separate recent report issued by the ICO revealed that it had received around 14,000 personal data breach reports from organisations between 25 May 2018, the date the GDPR became effective, and 1 May 2019. By way of comparison, the ICO said it had received approximately 3,300 personal data breach reports during the year ending 31 March 2018.
The ICO said that more than 82% of the personal data breaches reported to it since the GDPR has taken effect "required no action from the organisation". The watchdog highlighted the problem of "over-reporting" last year.
Pinsent Masons' report flagged the impact that the GDPR's introduction of a general data breach reporting requirement has had on data protection authorities' caseload. It took the ICO until December 2018 before it began to close down data breach cases faster than they were being reported to it, according to the report. However, there are significant backlogs across other EU data protection authorities, with watchdogs in Ireland, Portugal and Spain concluding less than 10% of the total matters reported to them over the same time frame.
Data protection and cyber risk experts at Pinsent Masons said the GDPR's tight deadline for reporting personal data breaches together with a lack of detailed regulatory guidance on reporting and the threat of multi-million pound fines has changed the risk environment for organisations and has led to a dramatic increase in data breach notifications to the ICO.
Stuart Davey of Pinsent Masons said: "The spike seen in the incidents reported to the ICO can, in part, be attributed to the greater awareness of the new 72-hour timeframe under GDPR. There is a lack of detailed regulatory guidance to help the assessment of whether the reporting threshold has been met, which means that it is often very difficult for data controllers to make a finding at such an early stage. As a result, many are understandably choosing to notify on a precautionary basis to avoid falling foul of the new requirements, or receiving a significant GDPR fine."
"However, as our report explores, not all security incidents require notification to the regulator. We are only one year into GDPR and it will be interesting to see reporting figures this time next year and the impact that another twelve months will have on levels of reporting. Things may settle down, but a large GDPR fine in the meantime may add a new dynamic," he said.
Freya Ollerearnshaw, also of Pinsent Masons, said: "The high levels of reporting of personal data breaches under GDPR mean that the ICO is facing a backlog in dealing with notifications. This may result in organisations waiting longer to receive final decisions. However, we have seen that the ICO appears to have gone through an adjustment period and is now starting to close down more notifications than it is receiving."
"Other EU DPAs are closing down a significantly lower proportion of notifications. We have seen data protection authorities across Europe getting used to the new regulatory regime during the past 12 months. However, it is very interesting to see the comparison in the data between different European jurisdictions in terms of the number of personal data breach notifications," she said.