The Information Commissioner’s Office (ICO) recently provided the first update on the impact of the General Data Protection Regulation (GDPR) since it went live three months ago.
Over this period, the ICO, who are the regulator under GDPR, received an average of 500 calls a week to their breach reporting line. Collected data has identified some important trends concerning the reporting of relevant incidents. The key lesson is that organisations need to get their incident reporting plans in place and to ensure that:
Breaches are reported within the appropriate time period. Breaches are to be reported within 72 working hours of the organisation becoming aware of the incident.
Breach reports are as complete as possible before reporting, where details are missing a rough timeline of when the ICO can expect further information should be provided.
The person reporting the breach is authorised to discuss the problem in the required detail.
Of the cyber incidents that were reported, nearly half were the result of phishing. Malware (10%) and ransomware (6%) were also other notable causes of breaches reported.
The NCSC, in collaboration with the ICO, has published guidance on GDPR Security Outcomes.
National Cyber Security Centre Article – 21st September 2018