Majority of UK firms ‘failing in breach reporting’ prior to GDPR
Many businesses in the UK may need to make significant improvements to how they handle data breaches in order to ensure they are compliant with the EU General Data Protection Regulation (GDPR), after it was revealed the majority of firms had poor reporting practices in the year prior to its enactment.
A Freedom of Information request sent to the Information Commissioner's Office (ICO) by security firm Redscan revealed more than nine out of ten companies that experienced a breach (91 per cent) left out vital information when they alerted the regulator to the incident.
This included details such as the impact of the breach, the recovery process and on what dates it occurred.
It also revealed that most organisations failed to either detect a breach or report it in a timely fashion, as now required by GDPR.
On average, it took companies 60 days to discover they had been the victim of a breach, with one firm going 1,320 days – more than three and a half years – before spotting it had been compromised.
Once incidents did come to light, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days. This meant that overall, less than a quarter of businesses would have been compliant with GDPR regulations that require firms to disclose breaches within 72 hours of discovery.
Mark Nicholls, director of cybersecurity at Redscan, said the figures show that breach detection and reporting continue to be major challenges for British firms.
"Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO," he continued. "This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter."
He added that it is "optimistic" to think businesses will have become better at detecting and reporting breaches since GDPR came into force last May, as he noted that many firms still seem to be struggling with their security activities, despite the prospect of larger penalties.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.