Latest Data breach facts revealed – GDPR update
As part of his ongoing updates on the incoming GDPR Matt Jackson, Associate Solicitor in our Corporate and Commercial Team, comments on the latest Information Commissioner’s Office report.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has just released its Annual Operation Reports, copies of all of which can be found here.
Of the 6 reports available, the report titled “Data Protection Reports and Concerns” provides us with some very interesting, and useful, insight as to the current state of data breaches, and data breach reporting, in the UK. The report can be viewed here. This report is of particular interest as it is the one we are likely to see the most change in once the General Data Protection Regulations (GDPR) come into force as of May next year.
The key things to take away from the report are:
- There were over 2,500 self-reported “incidents” for 2016-2017. A rise of over 25% on the previous year. This is particularly interesting as: (1) there is no obligation under the current regime to actually self-report breaches (this isn’t the case under GDPR); and (2) not all of these will be breaches, a number will be where the entity reporting has erred on the side of caution and reported an incident as a breach when, in fact, it wasn’t.
- Of the incidents reported, just under 70% resulted in absolutely no action being taken by the ICO with less than 1% (17 in total) resulting in a fine being levied.
- 41% of self-reports came from the healthcare sector. This is particularly noteworthy as it is highly likely that many of these incidents involved ‘sensitive’ personal data (being data relating to a variety of categories, including a person’s medical history and mental health) being lost or revealed unlawfully. Under GDPR this kind of breach could result in fines of up to €20,000,000 being levied (perhaps greater if the offending company’s turnover is sufficiently high).
- Over ¼ of breaches related to information being sent to the wrong person and/or address.
This report is timely, given that we are now less than 1 year away from GDPR coming in to law, 25 May 2018 to be precise. GDPR will bring with it an obligation on data controllers to self-report any data breaches, together with an increased ability for the ICO to levy significant fines for such data breaches.
As a result, the first annual operational report published after GDPR should be very interesting and, if companies are complying with their GDPR obligations, we should see a significant increase in the number of reports. Whether we will then see an increase in the proportion of these reports that result in fines, remains to be seen. Given that the ICO will have somehow to find the resource to deal with the increased reports, together with resourcing its wider obligations under GDPR, it would not be at all surprising to see a rise in the amount of fines issued.
We will be writing further blogs on GDPR as the “go-live” date approaches. However, if you have any questions at all regarding data protection, your obligations under the Data Protection Act or the forthcoming GDPR, please do contact Matt Jackson, Associate Solicitor in our Corporate and Commercial Team, who will be happy to help.