Reported data breaches up 160% since GDPR; ICO facilitates student complaints

News by SC Staff

There were fears about the level of data breaches that would be revealed by GDPR's requirement for organisations to report them - and the initial results show reported breaches have more than doubled.

Prior to the introduction of the General Data Protection Regulation, there were fears about the actual level of data breaches that would be revealed now that organisations had a duty to report them - and the initial results show reported breaches have more than doubled.

The Information Commissioner’s Office (ICO) received 6,281 complaints between 25 May and 3 July this year, up 160 percent rise on the same period in 2017 reports law firm EMW.

Financial services, education and health were the most complained about sectors, accounting for more than a quarter of the total. The new rules make it easier for people to access data that companies hold about them, but as a result James Geary, principal at law firm EMW, is reported in the press as saying: "A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed," adding, "There are some disgruntled individuals prepared to use the full extent of GDPR that will create a significant workload for businesses."

Ian Woolley, chief revenue officer at Ensighten emailed SC Media UK to add that his organisation’s research showed: "45 percent of UK businesses had set money aside in anticipation of regulatory fines before the GDPR deadline – knowing that they would likely fall short of being compliant. But consumer trust has even more value in this new data age and these complaints reinforce that it’s fragile."

"Governing bodies need to be tighter on the misuse of data and follow through with their word of placing financial sanctions on those who do not adhere to the regulation. And brands need to stop viewing GDPR as just a legal hurdle to jump. Consistent data governance is the only way to ensure that brands aren’t putting their customers or reputation at risk."

David Emm, principal security researcher at Kaspersky Lab commented: "It’s unfortunate that complaints of data breaches have risen, but it’s not surprising. The focus on GDPR over the last two years has made people more aware of privacy issues, and the legislation has empowered them to do something about it if they feel that their privacy is not being respected. The regulations have meant a fundamental change to the way in which companies – and the individuals within them – handle personal information.

"GDPR enforcement presents an opportunity for positive change for customers, who should take this opportunity to find out exactly what data is being held on them – and what it’s being used for, which will also reduce the likelihood of it falling into the wrong hands.

"Consumers should value their data as much as the money in their wallets and purses, and – like they would their physical possessions – take steps to protect it."

Mark Adams, regional vice president of UK & Ireland, Veeam, adds: "To help reduce the chances of breach complaints and payment of heavy fines, businesses have several steps they can take. First and foremost, we'd recommend quickly working to deliver a company-wide employee training programme on data protection and phishing attacks. Human-led errors are still the weakest link in the security chain for a business. No matter who you are or who you work for, this must be right. When the stakes are so high, employees have to be more aware of their actions.

"From a technology standpoint, implementing intelligent data management tools that can automatically spot irregularities and act accordingly is critical. Having the latest security products is no longer enough. ...For many, the answer is nothing at all. Being prepared for the absolute worst is the key to successful response to a data breach. While it's near impossible to prevent all data leakage and data theft, a strong and versatile incident response process can help significantly reduce the complaints that naturally would follow.

"Businesses must therefore now become far more proactive in managing that data, because the cost of failure exceeds the now infamously heavy penalties. It could also cause a long tail of damage for a company’s brand and reputation."

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK and Ireland notes that: "...investment in good data governance principles engenders trust. The focus needs to be on the interests and rights of data subjects – employees, customers and all stakeholders. Everyone you come into contact with. Their interests need to be the principal focus if companies are to avoid complaints and infringements

"The fact is that tighter regulations mean companies can no longer be complacent, whether it’s in the collection and processing of data or the reporting of a breach. Companies need to be on the front foot, be logical in managing the data journey and have processes in place should the worst happen"

In another move by regulators likely to increase consumer complaints, the ICO has published a how-to guide which explains to students how they can demand information on how their examinations have been marked. Tony Richards, group CISO at Falanx Group, expressed concern that universities and schools will not be aware of this guidance to students from the ICO, "let alone have the resources to respond within the time period required if a significant number of students made requests."

Jake Moore, security specialist at ESET, concurred, accepting that while it may be an excellent way to make young adults more aware of what data is and how it is stored, he noted that: "If all students jumped on this prospective bandwagon, it may just cause extra problems for the exam bodies at a time when they are heavily preparing for the back to school season. I would always advise that people become aware of what GDPR is and relating it to exams is sure way to teach them about their personal data.

"As long as only a small number of students are to request such data, then I am sure the schools and colleges would cope. However, there is always a chance that the students could join forces and request on mass but then this could be an anomaly that feeds its way back to the ICO as impossible to facilitate."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews