Businesses more reliant on ICO as data breach reports explode

ICO logo

The UK data regulator has revealed its staff received four times as many reports of personal data breaches during an "unprecedented" 2018/19 against the previous financial year.

During the first year of the EU's General Data Protection Regulation (GPDR) the Information Commissioner's Office (ICO) looked into a staggering 13,840 reports from organisations versus 3,311 during 2017/18.

Similarly, the number of complaints received from the public rose from 21,019 in 2017/18 to 41,661, according to figures revealed in the regulator's annual report.

Data protection reports submitted by businesses mostly emanated from organisations in general business, 18%, as well as the health sector and education sector, 16% and 13% respectively.

Organisations were also twice as reliant on the ICO for advice or guidance during 2018/19. The number of contacts the ICO held with individuals or businesses climbed from 283,727 during 2017/18 to 471,224 last year. These amount to phone calls, live chats, and written correspondence.

"The ICO has covered an enormous amount of ground over the last year," the Information Commissioner Elizabeth Denham said. This spanned the introduction of GPR to record-setting fines and a record number of people raising data protection concerns.

"The biggest moment of the year was the GDPR coming into force.

"This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren't being respected. The doubling of concerns raised with our office reflects that."

The ICO also revealed that its staffing had grown from 505 to more than 700, with the majority of new hires in areas within the organisation handling data protection complaints and customer contact.

Its annual report also pointed to research from March that showed 64% of organisations said they had noticed an increase in users exercising their information rights, as a sign of ICO success in promoting data protection principles.

In terms of financial penalties, meanwhile, the ICO levied 22 fines during 2018/19, totalling more than 3 million for investigations adjudicated under the Data Protection Act 1998.

This involved data protection incidents, like hacks or leaks, that took place prior to GDPR being introduced on 25 May 2018.

The penalties accrued includes two maximum 500,000 fines for Equifax Ltd and Facebook for data breaches affecting 15 million UK citizens and 87 million worldwide users respectively. Uber, the Crown Prosecution Service (CPS), and Yahoo! were also issued fined amounting to 960,000 all together.

These figures are a far cry from the eye-watering sums discussed prior to GDPR's introduction, with organisations facing penalties of up to 20 million or 4% of turnover. But this can be explained by the fact the ICO concluded no investigations into incidents occurring after GDPR was introduced during the 2018/19 window.

The report, however, was released just as the ICO issued its second prospective GDPR fine against an organisation in as many days, with more expected to follow in the coming months.

From just two probes into British Airways and Marriott, the treasury could reap up to 282 million in data protection fines.

"So many of our conversations are around the use of personal data in digital services," Elizabeth Denham continued. "It is early stages, but the GDPR has so far demonstrated that it is a law that can work alongside emerging technologies and creative approaches.

"There's no dichotomy between digital innovation and data protection. But progress relies on consumers trusting organisations with their data, and organisations stand at the front line on this.

"For our part, we are working on key guidance and codes, notably around internet harms and age-appropriate design online, that we believe will increase this trust."

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.