New data has discovered that a minute percentage of data breaches closed by the Information Commissioner’s Office (ICO) since the GDPR came into force have resulted in monetary punishments.
According to research from personal data security platform Digi.me, of 11,468 self-reported data breach cases handled by the ICO between May 25 2018 and the end of March 2019, just 29 penalties were handed out – a percentage of 0.25% – and none of them have been under the GDPR but rather the previous Data Protection Act, 1998.
The data, obtained by Digi.me under the Freedom of Information Act, also showed that 37,798 data protection concerns have been raised by members of the public since the GDPR came into force. That figure is almost three-times the number of actual data breach cases investigated by the ICO since May 25 2018.
Julian Ranger, founder of digi.me, said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.”
Digi.me’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education and finance. The sensitive nature of the data collected by these sectors will only heighten existing concerns about personal data usage, Digi.me said.
Ranger continued: “Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organization that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”
Jake Moore, cybersecurity specialist at ESET, added: “With data breaches being at an all-time high, organizations need an extra push to get their ducks in a row. The lack of monetary penalties is only going to discourage those companies that are making all the internal changes required to comply with GDPR laws while others are having their cake and eating it too. The appropriate level of enforcement is required to make the needle move; therefore the ICO must practice what it preaches.”
However, an ICO spokesperson said: “We are a proportionate and pragmatic regulator, our work is not just about fines – we prefer education to enforcement but will take our strongest action against those that wilfully, negligently or consistently flout the law.”