More than three months into the GDPR era, the UK’s data privacy watchdog –the Information Commissioner’s Office– has not fined any company yet under the severe terms of the new EU legislation.
These fines, when imposed, can go up to €20 million ($23.35 million) or 4 percent of annual global turnover, whichever of both is highest.
“Unfortunately – or maybe fortunately – we have not issued any fines for breaches of the new regime to be able to share learning about our approach. Yet,” said ICO Deputy Commissioner for Operations, James Dipple-Johnstone, during a speech to the CBI Cyber Security: Business Insight Conference held in London, last week.
The ICO official said the agency is not a revenue-generating organization, hence, the reason why they never go for the jugular when a company has been caught misreporting a security or privacy-related GDPR breach.
He says this “intense desire from government agencies to punish companies via the new GDPR legislation” is one of the myths that are currently forming around the new GDPR legislation, mainly due to a lack of information on the public’s side.
“As a regulator the ICO does not seek perfection even if to some it may feel like that,” Dipple-Johnstone told conference attendees. “The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance.”
But while the threat of huge fines is one of the myths surrounding GDPR, a second myth is that companies must report every little cybersecurity-related incident that happens at their premises.
Dipple-Johnstone says this lack of understanding of the actual legislation and breach reporting thresholds has led to hundreds of calls to ICO’s offices per week, many of which have not ended with the filing of an official report.
We have been receiving around 500 calls a week to our breach reporting line since 25th May, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn’t meet our reporting threshold,” the ICO official told the conference audience.
“Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others,” he added.
The official says companies have not studied the ICO’s reporting guidance, and when a breach happens, they’re completely unprepared or unaware of what they’re supposed to do.
This has led to situations when the 72-hour reporting deadline has been misinterpreted as 72 working hours deadline, or to situations where companies either file incomplete reports or they over-report incidents with too much information.
According to a report over the summer, the ICO says the number of data breach reports it received has quadrupled after the GDPR legislation entered into effect in May.