GDPR - ICO gets 500 breach reports a week !

The transcript of the ICO Deputy Commissioner (Operations) James Dipple-Johnstone speech to the "CBI Cyber Security: Business Insight Conference" makes for interesting reading.  
A short extract is below:

"Busting myths
  • Organisations are struggling with the concept of 72 hours as defined by the GDPR. Remember: it’s not 72 working hours, the clock starts ticking from the moment you become aware of the breach.
  • Some reports are incomplete. Our guidance sets out very clearly what you should include when you report a breach. You might not have all that information to hand in the first 72 hours, we get that, but please plan ahead; have people with suitable seniority and clearance to talk to us and be ready to provide as much detail as you can and be able to tell us when we can expect the rest. It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorised by the general counsel to tell us more than that! If you don’t assign adequate resources to managing the breach we may ask you why not.
  • Some controllers are “over-reporting”: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported. We understand this will be an issue in the early months of a new system but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold.
  • Read our reporting guidance – and please don’t wait for a breach to happen before you do.
  • Take some time to gather information and make a decision about whether or not this is a breach that needs reporting. Again, refer to our guidance, particularly about the reporting threshold.
  • Report by phone, particularly if you need advice about how to manage a breach or whether or not to tell your customers.
  • Take extra steps to prevent cyber attacks: implement a multi-layered approach, such as two-factor authentication, email filters and anti-spoofing controls, together with enhanced staff training and awareness.
  • Look at the NCSC / ICO security outcomes and double check against the advice there.

Last year we spent a lot of our time trying to bust some of the myths that arose around the new data protection regime. Two of the most persistent myths were that organisations would have to report every data breach involving personal information no matter how trivial, and, second, that we would be handing out enormous fines from the 25th May to a pre-determined list of companies.
Of course, neither of those are true. But now, with over three months of practice behind us, I can bring you our very first “ready reckoner” of breach reporting under the GDPR.
We have been receiving around 500 calls a week to our breach reporting line since 25th May, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn’t meet our reporting threshold.
Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others.
The key trends we are finding from our reporting system include:
So our advice to you is:
  • Read our reporting guidance – and please don’t wait for a breach to happen before you do.
  • Take some time to gather information and make a decision about whether or not this is a breach that needs reporting. Again, refer to our guidance, particularly about the reporting threshold.
  • Report by phone, particularly if you need advice about how to manage a breach or whether or not to tell your customers.
  • Take extra steps to prevent cyber attacks: implement a multi-layered approach, such as two-factor authentication, email filters and anti-spoofing controls, together with enhanced staff training and awareness.
  • Look at the NCSC / ICO security outcomes and double check against the advice there.
Moving on to monetary penalties: we have set out our approach to using our new powers under our Regulatory Action Policy, as required by Parliament and that is now back with them for approval. Unfortunately – or maybe fortunately – we have not issued any fines for breaches of the new regime to be able to share learning about our approach. Yet.
But there is one further myth in this area I am very happy to scotch: we are not a revenue generating organisation! I suspect that no-one in this room thinks this, but there are commentators out there who do.
So I will say this as plainly as can: any monetary penalties we levy go straight to the Treasury. We do not see them, and raising money has nothing to do with how we regulate or how we fund the office.
We have a significant range of enforcement and sanctioning powers – but our sole purpose in selecting and using them is to uphold individuals’ information rights in the digital age.
read the full transcript here
#gdpr #pecr #dataprotection #hr #ict #eprivacy

Comments

Post a Comment

Popular posts from this blog

Employee Rep Training - Great Feedback

Excellent, well delivered, good interaction, very interesting, delivery and knowledge excellent, very good, are just a few of the comments made by delegates on one of our employee rep training courses this week. Find out more about our employee rep course offer HERE >>>> #employeereps #employeerepresentation #unions #employeerepresentatives
Read more

Working with Volunteers - 10 Tips for Success

Image
WORKING WITH VOLUNTEERS - 10 TIPS for SUCCESS With the recent requests for volunteers to help in the fight against the #Corvid19 #Coronavirus and provide support to those in need locally, we thought it might be useful to highlight the insight and feedback we have gained through our #training courses and workshops on working with #volunteers. What made it a Good Experience for Volunteers? ·          Felt part of Workforce / Project ·          Not exploited – no discrimination ·          Matched my   skills to the opportunity ·          Valued –   felt welcomed from the start ·          Took account of my interests ·          Offered opportunities to further my interests ·          Good information / communications ·          Structured programme – not drifting What made it Bad Experience for Volunteers? ·          Lengthy time gap between applying and doing! ·          Formal processes were tedious and put people
Read more

Using Social Media at Work - Staff rights and responsibilities

Why you need a Policy NOW ! Two recent Employment Tribunal cases, one involving Face book and another one with Twitter have one clear message in common for modern employers – the urgent need to have clear up to date, precise policies and procedures in place about the use of Social Media at work. Both the cases profiled below could have been lost by the employer had they not previously taken proactive policy steps to keep up to date with an ever changing scene. Face Book The Face Book case arose from an unfair dismissal claim. The Employment Tribunal held that a pub manager was fairly dismissed for gross misconduct after she made inappropriate comments on Face book about two customers who had verbally abused and threatened her.   The Face Book chat took place while the employee was at work and did not reflect her upset or anger at the customers, but appeared to be a joke between friends.  However, a wider audience was able to look at her Face Book page, including r
Read more