The data watchdog has been warned that its latest attempt to prove that its GDPR enforcement teeth are razor sharp could well come back to bite it on the derrière by triggering another rise in over-reporting.
Yesterday, the Information Commissioner’s Office took a chunk out of British Airways over last year’s data breach, and revealed it intended to fine the airline £183.39m. The move has already been heavily criticised.
One industry insider said: “Whether you agree with the ICO’s action against BA or not, one thing is certain; it will make companies even more jittery. Sadly there is still a lot of confusion about what constitutes a data breach.”
The ICO has already admitted it has 10,000 active cases – and counting – of potential breaches of current and past data protection laws.
Now a new Freedom of Information request by Schools Week shows that, of 1,385 school cases handled by the ICO since GDPR came into force, just 208 (15%) have resulted in some sort of action, although no fines have yet to be levied.
Almost half the ICO’s GDPR school cases were self-reported, while the rest came from third parties. Of the 665 self-referrals from schools, about 80% required no action.
9ine Consulting managing director Mark Orchison told Schools Week: “It does reflect a misunderstanding of what the GDPR actually means. It may be that the schools that are self-reporting just don’t understand what they’re doing.
“If you don’t know whether it’s a breach, you’re likely to report it because you don’t want to get told off. But until you upskill the profession to understand the difference between a breach and a near-miss, you’re going to continue to see a high level of reporting of potential breaches.”
The industry source added: “The only people who appear to be benefiting from this mass confusion are the so-called GDPR experts, who can charge top dollar for dishing out ‘advice’. And we all know how reliable much of that is.
“For the regulator it is a classic Catch 22; do nothing and you are seen as a soft touch. Come down too hard and not only will others will say you are being unreasonable but you will also see a huge increase in your own workload.”
ICO shows ‘staggering’ lack of judgement over BA case
BA faces record £183m GDPR fine for data meltdown
ICO reveals it has 10,000 data breach cases to probe
ICO ‘failings’ exposed as most probes come to nothing
‘GDPR experts’ in the dock over dubious legal advice
Have companies done enough to comply with GDPR?