Following the Information Commissioner’s Office (ICO) report that reveals it has been receiving 500 reports by telephone per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data incident, Lillian Tsang, Senior Data Protection and Privacy Consultant from Falanx Group, explains why this over-reporting is happening, what organisations can do to reduce and how it may effect the ICO and its ability to deal with genuine data breach reports.
Lillian Tsang, Senior Data Protection and Privacy Consultant at Falanx Group:
“The over reporting is due to companies wanting to do the “right” thing and wanting to report breaches as and when they occur. It is difficult for a company to decide what is a reportable breach and what is not, even though the legislation is clear. It is the assessment, “whether a breach poses a risk to people’s right and freedom” which makes a breach reportable – this part is the difficult/uncertain element that a company faces. A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of “do we or don’t we”. Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting (10 million euros / 2% of global annual turnover) than potentially face the financial and reputational consequences. A breach where sensitive data is leaked relating to individuals is reportable, but an outage where individuals cannot access their personal data is not going to cause too much distress in most cases. However, such outages are commonly reported because companies would “rather be safe than sorry.”
Companies should have a clear breach reporting procedure. They should outline which types of “incidents” are worth reporting and those that are not. This will help them make a decision within the allotted 72-hour time period, which isn’t a great deal of time to make an assessment. This is probably another reason why breaches get reported so quickly- in keeping with the “more safe than sorry” approach. It is also important that these criteria are shared and adopted throughout the whole organisation by training staff and creating greater awareness. Understanding the products and services where potential risks of a breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator (UK -ICO) and the European Commission.
I think the ICO are inundated enough, not only with the breach reporting division. Given the ICO has first-hand knowledge of the types of breaches coming forward, they might want to expand on their guidance over time. Provide examples given they know what they are rejecting and upholding.”