The ICO has received 500 calls each week to its breach reporting helpline since the GDPR came into force in May, but around a third of these don’t meet the minimum threshold, according to the deputy commissioner of operations.
James Dipple-Johnstone told the CBI Cyber Conference in London this week that the UK privacy watchdog had been inundated as anxious firms over-report.
In the privacy watchdog’s first update since the new data protection regime came into force, he also revealed that many organizations are “struggling with the concept” of 72-hour breach notifications, interpreting it incorrectly as 72 “working hours.”
Dipple-Johnstone urged organizations to get their incident response plans in place and ensure senior employees are ready to provide as much detail as possible from the start, adding that some breach reports are incomplete.
“It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorized by the general counsel to tell us more than that,” he argued. “If you don’t assign adequate resources to managing the breach we may ask you why not.”
He urged organizations to check the ICO’s reporting guidelines, and to ensure they have multi-layered security in place, including elements such as two-factor authentication, email filters and anti-spoofing controls, and enhanced staff training and awareness.
Lillian Tsang, senior data protection and privacy consultant at the Falanx Group, argued companies are over-reporting to be on the safe side.
“It is the assessment, ‘whether a breach poses a risk to people’s right and freedom’ which makes a breach reportable — this part is the difficult/uncertain element that a company faces,” she explained.
“A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of ‘do we or don’t we?’ Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting than potentially face the financial and reputational consequences.”
To mitigate these challenges, companies need a clear breach reporting procedure outlining which types of incident are worth reporting and which aren’t, she advised.
“This will help them make a decision within the allotted 72-hour time period. It is also important that these criteria are shared and adopted throughout the whole organization by training staff and creating greater awareness,” said Tsang.
“Understanding the products and services where potential risks of a fundamental breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator and the European Commission.”