It’s been 3 months since the GDPR and Data Protection Act 2018 came into force. You may be wondering what has happened since then?
In a recent speech the Information Commissioner’s Office (ICO) Deputy Commissioner (Operations) James Dipple-Johnstone, provided an update on activities since 25 May 2018.
He made the following statements that are of interest:
- The ICO has been receiving around 500 calls a week to its breach reporting line since 25 May;
- About a third of the callers discussed their circumstances with the ICO officers and decided that their breach did not meet the reporting threshold;
- Approximately a fifth of reported breaches involved cyber incidents, almost half of which as a result of phishing.
Other key trends include:
- Organisations are struggling with the concept of 72 hours as defined by the GDPR (it’s not 72 working hours);
- Reports filed does not contain complete information;
- Some data controllers are “over-reporting” as a risk management tool or because they are under the mistaken belief that everything must be reported.
The practical advice from the ICO includes the following:
- Report breaches by phone, particularly if you need advice about how to manage a breach or whether or not to tell your customers;
- Take extra steps to prevent cyber-attacks;
- Read the ICO reporting guidance on their website.
You’ll find a summary of his speech here.