Are Companies Playing It Too Safe With GDPR Breach Reporting?

“'Over-reporting' I think would suggest that people are sort of doing this wrong. I think everybody is taking a cautious approach to obligations of the GDPR. I think data controllers and probably the regulators as well are using this first year to bed in and understand how those regulations work,” Davey said.

Still, the numbers presented in the Pinsent Masons report would seem to indicate that people are reporting matters that they don't have to, or at least matters that the ICO has no intention of pursuing. During a period ranging from the GDPR's enactment in May 2018 to February 2019, the ICO has closed down 7,771 reported incidents as requiring “no further action”. That slice of the pie represents 66% of data breach incidents reported during that same window.

Even if they were made out of an abundance of caution, those closed reports carry risk of their own. Liz Harding, a shareholder at Polsinelli, said that notification where not necessary can expose organizations to greater regulatory scrutiny.

“This raises the risk of regulatory investigations beyond the breach …. For U.S.-based organizations [that] might have adopted a 'GDPR-light' approach to compliance, this risk should be considered in the decision around whether to notify of a breach, particularly where the risk of harm to affected individuals is negligible,” Harding said.

Parameters dictating when a data controller is obligated to report a breach to the applicable supervising authority are laid out in Article 33 and Article 34 of the GDPR. The first requires an incident to be reported “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. Article 34 triggers a report if it “is likely to result in a high risk to the rights and freedoms of natural persons”.

The problem is that determining when a breach is not obligated to be reported can be just as time-consuming. Harding gave the example of an email compromise where only business contact information is impacted, which would typically not rise to the level of notification.

“However, before making any such determination, the organization needs to undertake forensic investigation to understand the nature of the data compromised. For example, was any personal information contained in the compromised emails, or were there any attachments [that] included personal information?” Harding said.

It doesn't help that there's a running clock on the proceedings. Under the GDPR, organizations that have experienced a breach of personal data have 72 hours to report what happened.

According to Davey, time flies during a cyber incident. Sometimes, word of a potential breach takes a while to escalate through a company's chain of command, or there might be cyber insurance-related issues to address. Regardless, once an organisation actually gets around to determining where GDPR fits into the picture, a nuanced analysis of the situation may be difficult.

“We find that by the time it gets through to the legal team, it's not 72 hours at all, it's considerably shorter than that,” he said.

Davey thinks more regulatory guidance could help diminish instances of over-reporting. Sarah Pearce, a partner in the privacy and cybersecurity practice at Paul Hastings, also pointed out that organizations such as the European Data Protection Board have already issued guidance, although she noted that it might have flown under most people's radars.

Even if the amount of unnecessary reporting does drop off, that won't necessarily diminish the number of notifications that authorities at the ICO are fielding at any given time.

“Also, what you've got to bear in mind is the fact that data breaches are becoming more prevalent, and even that is the more sophisticated ones that do merit the notification. So even if people become more familiar, the fact is, the threats are being raised,” Pearce said.

*****

Frank Ready is a reporter on the tech desk at ALM Media. He can be reached at [email protected].