Under GDPR, UK Data Breach Reports Quadruple

Data Breach , General Data Protection Regulation (GDPR) , Governance

After Privacy Law Went Into Full Effect, Data Security Complaints Doubled(euroinfosec) • May 29, 2019    Under GDPR, UK Data Breach Reports QuadruplePhoto: Rob Ellis, via Flickr/CC

The United Kingdom has seen the number of data breach notifications more than quadruple since Europe's tough new privacy law went into full force.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

The EU's General Data Protection Regulation went into full effect on May 25, 2018. For the first time, it began requiring all organizations that suffer a data breach that put Europeans' personal data at risk to notify relevant authorities.

The Information Commissioner's Office, which enforces GDPR in the U.K., says that from May 25, 2018, until the beginning of this month, it received 14,072 data breach reports, compared to receiving just 3,311 from April 2017 through April 2018.

The increase in data breach notification is a result of mandatory reporting driving better visibility, security experts say. Before last May, most organizations faced no legal obligation to publicly disclose a data breach. Now, however, they do, which means that more data breach discoveries have been coming to light.

Meanwhile, information security experts have told Information Security Media Group that they don't think the frequency of data breaches has increased or decreased significantly since GDPR went into full effect.

"I don't think it's dramatically changed the number or volume of breaches that we've been seeing," Paul Chichester, operations director at Britain's National Cyber Security Center - the public-face arm of intelligence agency GCHQ - told ISMG at a press conference held during the NCSC's recent CyberUK conference in Glasgow, Scotland (see: Cybersecurity Drives Intelligence Agencies in From the Cold).

UK Privacy Complaints Double

Under article 77 of GDPR - "Right to complain to a supervisory authority" - Europeans can file complaints with regulators about organizations' data protection practices, as they were also able to do before enactment of the new regulation.

From May 25, 2018 until the beginning of this month, the ICO received 41,054 data protection complaints, up from 21,000 in the period spanning April 2017 through April 2018.

An ICO spokesman tells ISMG that most of the complaints concerned "subject access requests, disclosure of data, right to prevent processing, security and data inaccuracy."

EU Privacy Board Tracks Increases

The figures issued by the ICO follow European privacy authorities earlier this month releasing a report into the first nine months of GDPR going into full effect

The European Data Protection Board says its report represents the "first overview on the implementation of the GDPR and the roles and means of the national supervisory authorities," or SAs.

The EDPB report says that from May 25 of last year until Feb. 18, SAs received 64,684 data breach notifications as well as 94,622 complaints. "Of these cases, 52 percent have been closed and 1 percent are the subject of lawsuits before national courts."

imageSource: EDPB, covering May 25, 2018, to Feb. 18, 2019

Based on previous research, Dutch, German and British privacy authorities have been seeing the greatest number of breach reports, compared to other EU member states (see: Netherlands, Germany and UK Have Logged the Most Data Breach Reports).

The Brussels-based EDPB is an independent European body, created as part of GPDR, which went live on the same day as the start of the regulation's enforcement. The EDPB's mandate is to ensure that data protection rules get applied consistently throughout the EU, as well as encourage the EU's data protection authorities to cooperate (see: GDPR: Europe Counts 65,000 Data Breach Notifications So Far).

The EDPB reports that SAs appear to be applying GDPR consistently across member states, backed by extensive cooperation among privacy authorities as well as a dedicated IT system that enables them all to log and track cases.

"From May 25, 2018, to February 18, 2019, no dispute resolutions were initiated," the board's report reads. "This means that up to now, the SAs were able to reach consensus in all current cases, which is a good sign in terms of cooperation."

In the same time frame, the EDPB says EU member states have imposed $63 million in GDPR fines, most of which reflected France's privacy authority fining Google €50 million (see: France Hits Google With $57 Million GDPR Fine).