Following the Information Commissioner’s Office (ICO) report that reveals it has been receiving 500 reports by telephone per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data incident, Lillian Tsang, Senior Data Protection and Privacy Consultant from Falanx Group, explains why this over-reporting is happening, what organisations can do to reduce and how it may effect the ICO and its ability to deal with genuine data breach reports.
Lillian Tsang, Senior Data Protection and Privacy Consultant at Falanx Group:
Companies should have a clear breach reporting procedure. They should outline which types of “incidents” are worth reporting and those that are not. This will help them make a decision within the allotted 72-hour time period, which isn’t a great deal of time to make an assessment. This is probably another reason why breaches get reported so quickly- in keeping with the “more safe than sorry” approach. It is also important that these criteria are shared and adopted throughout the whole organisation by training staff and creating greater awareness. Understanding the products and services where potential risks of a breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator (UK -ICO) and the European Commission.
I think the ICO are inundated enough, not only with the breach reporting division. Given the ICO has first-hand knowledge of the types of breaches coming forward, they might want to expand on their guidance over time. Provide examples given they know what they are rejecting and upholding.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.