GDPR an update

It’s been 3 months since the GDPR and Data Protection Act 2018 came into force. You may be wondering what has happened since then?

In a recent speech the Information Commissioner’s Office (ICO) Deputy Commissioner (Operations) James Dipple-Johnstone, provided an update on activities since 25 May 2018.   

He made the following statements that are of interest:

  • The ICO has been receiving around 500 calls a week to its breach reporting line since 25 May;
  • About a third of the callers discussed their circumstances with the ICO officers and decided that their breach did not meet the reporting threshold;
  • Approximately a fifth of reported breaches involved cyber incidents, almost half of which as a result of phishing.

Other key trends include:                        

  • Organisations are struggling with the concept of 72 hours as defined by the GDPR (it’s not 72 working hours);
  • Reports filed does not contain complete information;
  • Some data controllers are “over-reporting” as a risk management tool or because they are under the mistaken belief that everything must be reported.

The practical advice from the ICO includes the following:

  • Report breaches by phone, particularly if you need advice about how to manage a breach or whether or not to tell your customers;
  • Take extra steps to prevent cyber-attacks;
  • Read the ICO reporting guidance on their website.

You’ll find a summary of his speech here.

Tags GDPR, Data protection, Markel Law, SME, Cyber