More than three months into the GDPR era, the UK's data privacy watchdog --the Information Commissioner's Office-- has not fined any company yet under the severe terms of the new EU legislation.
These fines, when imposed, can go up to €20 million ($23.35 million) or 4 percent of annual global turnover, whichever of both is highest.
"Unfortunately - or maybe fortunately - we have not issued any fines for breaches of the new regime to be able to share learning about our approach. Yet," said ICO Deputy Commissioner for Operations, James Dipple-Johnstone, during a speech to the CBI Cyber Security: Business Insight Conference held in London, last week.
The ICO official said the agency is not a revenue-generating organization, hence, the reason why they never go for the jugular when a company has been caught misreporting a security or privacy-related GDPR breach.
He says this "intense desire from government agencies to punish companies via the new GDPR legislation" is one of the myths that are currently forming around the new GDPR legislation, mainly due to a lack of information on the public's side.
"As a regulator the ICO does not seek perfection even if to some it may feel like that," Dipple-Johnstone told conference attendees. "The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance."
But while the threat of huge fines is one of the myths surrounding GDPR, a second myth is that companies must report every little cybersecurity-related incident that happens at their premises.
Dipple-Johnstone says this lack of understanding of the actual legislation and breach reporting thresholds has led to hundreds of calls to ICO's offices per week, many of which have not ended with the filing of an official report.
We have been receiving around 500 calls a week to our breach reporting line since 25th May, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn't meet our reporting threshold," the ICO official told the conference audience.
"Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others," he added.
The official says companies have not studied the ICO's reporting guidance, and when a breach happens, they're completely unprepared or unaware of what they're supposed to do.
This has led to situations when the 72-hour reporting deadline has been misinterpreted as 72 working hours deadline, or to situations where companies either file incomplete reports or they over-report incidents with too much information.
Also: Here's Google's biggest secret to not failing at security TechRepublic
According to a report over the summer, the ICO says the number of data breach reports it received has quadrupled after the GDPR legislation entered into effect in May.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
If you can't answer these basic questions, your security could be at risk.
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.