UK regulator highlights GDPR teething problems

05 October 2018

Some companies may be struggling to understand what is required of them under the General Data Protection Regulation (GDPR), while others are being overly cautious, according to the UK’s Information Commissioner’s Office (ICO).

Speaking at a recent CBI cyber security event, ICO Deputy Commissioner James Dipple-Johnstone gave feedback on the regulator’s experience of the GDPR, which was implemented on 25 May 2018. Unsurprisingly, the number of complaints and notifications has risen sharply - the ICO has received around 500 calls a week to its breach reporting hotline since the GDPR was enforced. One in five reported breaches involve cyber incidents, of which nearly half are the result of phishing. Malware accounted for 10% of breaches, misconfiguration 8% and ransomware 6%, the ICO says.

According to law firm EMW, complaints to the ICO about potential data breaches have more than doubled since the GDPR came into effect. There were 6,281 complaints between 25 May and 3 July this year, a 160% rise over the same period in 2017. This followed a 75% increase in the number of data breach incidents self-reported to the ICO over the past two years, as organisations prepared for the new data protection regime, according to risk consultant Kroll.


Interestingly, the ICO says that some companies are struggling with the concept of notification as defined by the GDPR, which requires an organisation to report a personal data breach (that is likely to result in the risk of harm to affected data subjects) to the regulator within 72 hours. In his presentation, Dipple-Johnstone reminded companies that the “clock starts ticking” from the moment an organisation becomes aware of a breach - it is not 72 “working hours” as some firms believe.

The regulator also noted that some data controllers are “over-reporting” data breaches; either to be transparent, to manage the perceived risk or because they think that everything needs to be reported. Around a third of the calls to the ICO hotline are from organisations that, after discussion with the ICO, decide that their breach does not meet the GDPR reporting threshold. While some over-reporting is to be expected, the ICO says that it will try and discourage the practice in the future.

Notification of data breaches under the GDPR has also resulted in some incomplete reporting to the ICO. The regulator notes that its guidance sets out “clearly” what an organisation should include when it reports a data breach. While all the required information might not be to hand in the first 72 hours, the ICO expects organisations to “plan ahead, have people with suitable seniority and clearance to talk to the regulator and be ready to provide as much detail as possible”. If an organisation fails to assign adequate resources to manage a data breach, the ICO says it will investigate why this is the case.

Subscribe to our  Latest Cyber Decoder newsletter


The ICO has yet to fine an organisation under the GDPR, but Dipple-Johnstone gave some insight into the regulator’s intentions in this area. He says companies that make the right commitments to customers will have little to fear from an ICO inspection or investigation. While the ICO has issued higher levels of fines in the past year, this was because investigations revealed that the organisation’s own controls and culture had contributed to the incidents.

The ICO says that it will not take issue with companies that suffer a data breach if they can show they have taken their responsibilities under the GDPR seriously; if they treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate controls and accountability. The regulator says that it will recognise steps taken by organisations, such as those to protect data in line with ICO security guidance and the use of privacy by design.


Also speaking at the CBI event on 12 September in London was Ciaran Martin, CEO of the National Cyber Security Centre, the UK government’s cyber security organisation. His message was clear: board members need to do more to understand the basics of cyber attacks, cyber risks and cyber defences.

Board members at two-thirds of FTSE 350 firms have never had any training on how to deal with a cyber incident, while one in 10 boards have no plans to deal with one, according to the FTSE 350 Cyber Governance Health Check 2017.

According to Martin, board members need to close the knowledge gap to become more technical and cyber literate. To that end, the NCSC will publish guidance this winter on cyber security for large corporate organisations. As a taster, the NCSC published five questions that it encourages boards to ask:

  • How do we defend our organisation against phishing attacks?
  • What do we do to control the use of our privileged IT accounts?
  • How do we ensure that our software and devices are up to date?
  • How do we ensure our partners and suppliers protect the information we share with them?
  • What authentication methods are used to control access to systems and data?

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on