The first few months of the EU’s General Data Protection Regulation (GDPR) have seen a marked increase in breach notifications, as some organisations struggle under the new regime.
Regulators and insurers have seen a significant uptick in data breach notifications since the regulation was implemented in May. These breaches are providing some useful insights, as regulators, corporates and cyber insurers feel their way through the new regime’s many requirements.
Notifications to the UK data protection regulator quadrupled in the first few months of the GDPR, with large increases also reported in France and Belgium. The UK’s Information Commissioners’ Officer (ICO) recently revealed that it is dealing with more than 500 calls to its data breach notification hotline each week.
It is not only the number of data breaches that is causing concern. Companies that suffer a breach will need to navigate new rules and requirements, many of which are open to interpretation. The introduction of the GDPR has certainly been a steep learning curve for many of AIG’s clients, according to Mark Camillo, head of cyber for EMEA at the insurer.
Speaking at a confederation of british industry cybersecurity event, ICO deputy commissioner James Dipple-Johnstone revealed that some companies are “over-reporting” data breaches. About a third of the calls to the ICO hotline are for breaches that do not meet the GDPR reporting threshold. The ICO has said it will try and discourage this practice in future.
The ICO also said that some companies are struggling with some of the basic concepts of the GDPR, such as the requirement to report a data breach to the regulator within 72 hours. It also highlighted the problem of incomplete data breach reporting, noting that it expects organisations to plan ahead and have people with suitable seniority ready to provide as much detail as possible.
The next year or so will be a test for the GDPR as regulators and companies interpret the notification requirements and experience data breaches, according to Nigel Pearson, group cyber director at RSA. “The next six to 12 months will be a shakedown for the GDPR,” he said.
Full article on Commercial Risk (subscription required)
© Commercial Risk Europe
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article