The UK's deputy information commissioner, James Dipple-Johnstone, highlighted the problem of "over-reporting" in a speech at a cybersecurity conference hosted by the CBI earlier this week.
"Some controllers are 'over-reporting': reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported," Dipple-Johnstone said. "We understand this will be an issue in the early months of a new system but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold."
He said that since the GDPR took effect on 25 May, around 500 calls a week have been made to the ICO's breach reporting phone line and that about one third of the incidents discussed with ICO staff turned out not to be reportable under the GDPR's data breach notification threshold.
Organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals under the GDPR. A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Dipple-Johnstone said that some organisations have been "struggling with the concept of 72 hours as defined by the GDPR". He reiterated that the 72 hours deadline does not relate to working hours only and that "the clock starts ticking from the moment you become aware of the breach".
He also said some of the data breach reports the ICO have been receiving have been "incomplete", although he reaffirmed that organisations can notify the ICO of details of the breach in stages as they emerge.
"Our guidance sets out very clearly what you should include when you report a breach," Dipple-Johnstone said. "You might not have all that information to hand in the first 72 hours, we get that, but please plan ahead; have people with suitable seniority and clearance to talk to us and be ready to provide as much detail as you can and be able to tell us when we can expect the rest."
"It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorised by the general counsel to tell us more than that! If you don’t assign adequate resources to managing the breach we may ask you why not," he said.
Data protection law expert Anna Flanagan of Pinsent Masons, the law firm behind Out-Law.com, said it is not the first time the ICO has highlighted issues with the over-reporting of data breaches.
"In their very first webinar post 25-May the ICO indicated that over-reporting of data breaches was a problem," Flanagan said. "In our view, data controllers flooding the ICO with an avalanche of notifications could not be carrying out the appropriate risk analysis – over-notification could attract unnecessary and unwanted attention. Additionally, previous guidance issued by EU data protection watchdogs also makes it clear that constant notification of data subjects could result in notification ‘fatigue’."
Dipple-Johnstone also used his speech to emphasise the link between data privacy and data security.
Technology law expert Sarah Cameron of Pinsent Masons said that some businesses, including those developing products for the 'internet of things' (IoT) age, may not fully appreciate that their cybersecurity practices have a major impact on their compliance with privacy rules under the GDPR.
In his speech, Dipple-Johnstone said: "Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties. As a result, all modern data protection principles include an obligation to protect information and security and that has been recognised in every significant codification of data protection, including the EU General Data Protection Regulation and the new Data Protection Act."
Earlier this year the UK government, in collaboration with industry and the National Cyber Security Centre, developed a draft code of practice designed to improve security in consumer IoT products and associated services. The ICO had input into the code, further emphasising the association between security and privacy, Cameron said.
"The GDPR provisions on data protection by design and by default and security of processing spell out clearly the link between security and privacy," Cameron said. "By highlighting this in the speech, the ICO will be hoping to get businesses to appreciate the direct link and highlight that a lack of security by design may open them up to breach of GDPR and the financial consequences that might involve, and to move the issue onto the boardroom agenda."