Is it time for a best practice approach for reporting data breaches post GDPR?

09 October 2018 / John McDermott

Since the 25th May 2018 General Data Protection Regulation (GDPR) deadline, the ICO has reported receiving around 500 calls a week to their breach reporting line, of which a third did not need to report at all, 20 reported breaches involve cyber incidents, of which nearly half are the result of phishing. John McDermott, Jaywing’s Head of CRM, explores in more detail how and when you should go about reporting a data breach in order to mitigate potential fines.

With several examples recently of high fines being levied by the ICO, often working in union with the National Cyber Security Centre (NCSC), and the advent of the GDPR’s giving greater scope for financial penalties, it’s important that organisations have processes in place to prevent your business from being fined.

What’s more, the Data Commissioner has recently warned “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.”

Recent rulings come in the same month as the CBI Cyber Security Business Insight Conference where the ICO assessed how prepared major companies in the UK are for these new laws. The conference’s assessment on how companies are reporting breaches in respect of the new data laws implies there is still much to be understood about this process.

How can your organisation avoid heavy fines imposed by the GDPR?

Findings surrounding the data breaches reported to the ICO suggests that companies may lack an established and well-rehearsed procedure for a data breach, which should be thought of as a ‘fire-alarm’ test. Not reporting to the ICO or having a good and well-rehearsed process in place can itself increase the fine for any breach misdemeanours.

There should be some internal checks and balances to both reporting, assessment and interpretation of a data incident, which may or may not be a breach and which in turn may or may not require notification to the ICO. The clear statistic that one-third of organisations are over reporting, suggests that better internal processes to make the correct decisions in pressure situations needs to be in place. This can only come from a greater understanding of the regulation and testing your response in a well-rehearsed process.

However, if a suspected breach occurs, this doesn’t mean sitting on the problem and trying to solve it prior to notification. This could in itself incur a serious infringement on your obligations in respect of the GDPR.

In its webinar this summer, the ICO gave clear guidance on the correct approach to potential data breach reporting. However, despite greater awareness, the key trends from their reporting system show:

  • Organisations are struggling with the concept of 72 hours as defined by the GDPR and need to remember the clock starts ticking from the moment a breach is known.
  • Some reports are incomplete. Their guidance on how to report is not being followed.
  • Some controllers are “over-reporting”; reporting a breach just to be transparent, or because they want to manage their perceived risk or because they think that everything needs to be reported.

This insight on performance implies that while awareness of the new regulation may be high, there is still much work to be done to get all the reporting processes running smoothly and in a fashion which reflects their severity.


And, as some have found recently, not having good processes in place coupled with a cultural awareness and care for customer data can multiply any potential fines to the very maximum.

For more information on GDPR and best practice, visit gdpr.jaywing.comor get in touch with [email protected].