Of the UK cyber matters we advised on in the year to May 2020, 50% required notification to the Information Commissioner’s Office (ICO), down from 61% the previous year. This change was in line with trends recorded by the ICO more broadly, which recorded 11,854 personal data breaches in 2019/20, compared to 13,840 in 2018/2019.
DPAs themselves appear to be becoming more efficient in the way they handle notifications of personal data breaches and other incidents.
In Spain, for example, the Spanish Data Protection Agency works with other bodies such as the Cryptologic National Centre and INCIBE, the National Cyber Security Institution, to offer businesses a single point for security breaches notifications. In Ireland we observed an increase in efficiency when it comes to the initial triaging of, and response to, breaches by the Data Protection Commission. In the last year alone, the DPC recruited 50 new staff, which may account for the enhanced efficiency. Similarly, in Hong Kong, despite an unprecedented surge in complaints in 2019, there were an increased percentage of complaints, investigations conducted and investigation reports published by the Office of the Privacy Commissioner for Personal Data.
The ICO in the UK has also shown itself to be much more targeted and efficient in its actions too. In the matters we advised on in the year to May 2020, 83% of cases notified to the ICO were determined by the authority within 30 days of initial notification, compared to little over a third of cases the previous year. With an additional year’s experience, the ICO appears to be more efficient at triaging reported incidents and closing those down which are not sufficiently serious to warrant any further investigation.
In our experience, in cases where the ICO undertakes further investigation of breaches, the authority has also become more targeted with the queries it has raised.