UK watchdog has not issued any GDPR data breach-related fines yet

UK official says ICO has been receiving 500 calls a week to the agency's breach reporting line since May 25, the day the new GDPR regulation entered into effect.
Written by Catalin Cimpanu, Contributor

More than three months into the GDPR era, the UK's data privacy watchdog --the Information Commissioner's Office-- has not fined any company yet under the severe terms of the new EU legislation.

These fines, when imposed, can go up to €20 million ($23.35 million) or 4 percent of annual global turnover, whichever of both is highest.

Also: Russian election hacking hits a bump, but it's still going on CNET

"Unfortunately - or maybe fortunately - we have not issued any fines for breaches of the new regime to be able to share learning about our approach. Yet," said ICO Deputy Commissioner for Operations, James Dipple-Johnstone, during a speech to the CBI Cyber Security: Business Insight Conference held in London, last week.

The ICO official said the agency is not a revenue-generating organization, hence, the reason why they never go for the jugular when a company has been caught misreporting a security or privacy-related GDPR breach.


He says this "intense desire from government agencies to punish companies via the new GDPR legislation" is one of the myths that are currently forming around the new GDPR legislation, mainly due to a lack of information on the public's side.

"As a regulator the ICO does not seek perfection even if to some it may feel like that," Dipple-Johnstone told conference attendees. "The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance."

Also: What is GDPR? Everything you need to know about the new general data protection regulations

But while the threat of huge fines is one of the myths surrounding GDPR, a second myth is that companies must report every little cybersecurity-related incident that happens at their premises.

Dipple-Johnstone says this lack of understanding of the actual legislation and breach reporting thresholds has led to hundreds of calls to ICO's offices per week, many of which have not ended with the filing of an official report.

We have been receiving around 500 calls a week to our breach reporting line since 25th May, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn't meet our reporting threshold," the ICO official told the conference audience.

"Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others," he added.

Also: GDPR: What's really changed so far?

The official says companies have not studied the ICO's reporting guidance, and when a breach happens, they're completely unprepared or unaware of what they're supposed to do.

This has led to situations when the 72-hour reporting deadline has been misinterpreted as 72 working hours deadline, or to situations where companies either file incomplete reports or they over-report incidents with too much information.

The ICO official recommended that companies read the ICO's breach reporting guidance and watch its webinars before calling or opening its breach reporting portal.

Also: Here's Google's biggest secret to not failing at security TechRepublic

According to a report over the summer, the ICO says the number of data breach reports it received has quadrupled after the GDPR legislation entered into effect in May.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards