Companies are so paranoid about breaching GDPR that they are inundating the Information Commissioner’s Office with over 500 calls a week, a third of which are either unnecessary or fail to meet the threshold for a data incident.
ICO deputy commissioner James Dipple-Johnstone has blamed widespread misconceptions and scaremonering for the huge rise in self-reporting.
Speaking at a CBI conference he said: “Last year we spent a lot of our time trying to bust some of the myths that arose around the new data protection regime. Two of the most persistent myths were that organisations would have to report every data breach involving personal information no matter how trivial, and, second, that we would be handing out enormous fines from May 25 to a pre-determined list of companies.
“Of course, neither of those are true. But now, with over three months of practice behind us, I can bring you our very first “ready reckoner” of breach reporting under the GDPR.
“We have been receiving around 500 calls a week to our breach reporting line since May 25, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn’t meet our reporting threshold.”
He highlighted that one mistake many businesses make is to believe that the mandatory reporting period is 72 working hours, whereas, in reality, this is 72 hours from the point of discovery.
Many reports the ICO receive are also incomplete, and many tend to “over-report” due to an inflated desire to be transparent, because organisations want to manage their perceived risk, or just think they need to report everything, Dipple-Johnstone added.
“The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have dozens of audits, advisory visits and guidance sessions. That is the real norm of the work we do.”
He concluded that businesses which take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.
The dam bursts: companies hit by flood of data requests
ICO takes no prisoners as complaints and fines rocket
Only a fifth of UK companies are compliant with GDPR
GDPR one month on: Google admits that it’s clueless
Crisis? What crisis? GDPR fuels more potent marketing
Let battle commence: first GDPR complaints are filed
GDPR zero hour: Now the hard work begins say experts