Majority of UK firms ‘failing in breach reporting’ prior to GDPR

Majority of UK firms 'failing in breach reporting' prior to GDPR

Many businesses in the UK may need to make significant improvements to how they handle data breaches in order to ensure they are compliant with the EU General Data Protection Regulation (GDPR), after it was revealed the majority of firms had poor reporting practices in the year prior to its enactment.

A Freedom of Information request sent to the Information Commissioner's Office (ICO) by security firm Redscan revealed more than nine out of ten companies that experienced a breach (91 per cent) left out vital information when they alerted the regulator to the incident.

This included details such as the impact of the breach, the recovery process and on what dates it occurred.

It also revealed that most organisations failed to either detect a breach or report it in a timely fashion, as now required by GDPR.

On average, it took companies 60 days to discover they had been the victim of a breach, with one firm going 1,320 days – more than three and a half years – before spotting it had been compromised.

Once incidents did come to light, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days. This meant that overall, less than a quarter of businesses would have been compliant with GDPR regulations that require firms to disclose breaches within 72 hours of discovery.

Mark Nicholls, director of cybersecurity at Redscan, said the figures show that breach detection and reporting continue to be major challenges for British firms.

"Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO," he continued. "This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter."

He added that it is "optimistic" to think businesses will have become better at detecting and reporting breaches since GDPR came into force last May, as he noted that many firms still seem to be struggling with their security activities, despite the prospect of larger penalties.