July 15, 2019

GDPR triggers 175% jump in data breach whistleblower reports to ICO

By Robert Scammell

The number of whistleblowers reporting a data breach to the UK’s data watchdog has soared by 175% since the introduction of GDPR, according to London-headquartered law firm RPC.

Since Europe’s tougher data laws came into force in May 2018, whistleblower reports to the Information Commissioner’s Office about a data breach has jumped from 138 in 2017/2018 to 379 in 2018/19.

RPC attributes the rise in whistleblower data breach reports to the tougher penalties that come with GDPR, which has made people warier when it comes to handling personal data and reporting breaches.

“GDPR has driven a cultural shift in how people perceive personal data and its value,” said Richard Breavington, partner at RPC. “More people now see it as part of their personal property, and they are more likely to act if they believe it is being misused.”

The research follows last week’s GDPR fine frenzy, in which the ICO issued its first and second GDPR fines in less than 30 hours, coming to a combined total of £282m.

On the 8 June, British Airways was slapped with a £183m fine for falling victim to a cyberattack in September 2018 in which attackers stole sensitive personal information such as payment details.

The next day, hotel chain Marriott International was stung with a £99m fine after a cyberattack on its subsidiary Starwood exposed the personal data of some 500 million customers to attackers over a four-year period.

Data breach whistleblower rise: The ICO has teeth

“The ICO has shown that it is a regulator to be respected,” said Breavington. “The FCA [Financial Conduct Authority] had traditionally been thought to be among the tougher regulators in the UK, but the fines the ICO is levying are now on a different scale.”

Those working in data protection had long been awaiting the first fine under GDPR, which threatens maximum fines of €20m or 4% of global annual turnover. After a year passed without fines, some had started to question whether GDPR had been overstated. That’s now changed, following the Marriott and British Airways fines.

“There were a lot of eyes on the ICO, waiting to see how it would use its new powers. Few foresaw it hitting a business with such a high fine at this stage,” said Breavington.

The fines, and the number of whistleblower reports, should cause businesses to take heed, said Breavington.

“The jump in whistleblowing reports of data breaches will be a concern to businesses,” Breavington. “The ICO’s large fines mean data security continues to be a C-suite issue for businesses that hold personal data.”

He advised that boards ensure their company isn’t just “GDPR-compliant on paper”, making sure that the company is “culturally doing everything possible to ensure appropriate standards of technical and organisational security”.

Read more: BA fine: High GDPR fines could become bragging rights for hackers

Related Report
GlobalData Thematic Research
GlobalData Thematic Research