James Dipple-Johnstone, the UK's deputy Information Commissioner, recently told the Confederation of British Industry’s fourth annual cyber-security conference, that his office has been receiving 500 reports by telephone per week since the General Data Protection Regulation came into force. A third of them are either unnecessary or too trivial to describe a 'data incident.'

The Information Commissioner's Office gleaned these details through an internal study of inbound calls. Unfortunately, other details and statistics are not yet in the public domain.

Lillian Tsang, the senior data protection consultant at Falanx Group, told Compliance Matters why firms are over-reporting, what they might to do to improve their performance and how this is likely to affect the commissioner's office and its ability to deal with genuine data breach reports.

"The over reporting is due to companies wanting to do the 'right' thing and wanting to report breaches as and when they occur. It is difficult for a company to decide what is a reportable breach and what is not, even though the legislation is clear. It is the assessment of “whether a breach poses a fundamental risk to people’s rights and freedom” that makes something reportable and this is where every company faces difficulty and uncertainty. A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of 'do we or don’t we.' Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting (€10 million euros/2% of global annual turnover) than face the financial and reputational consequences. A breach where sensitive data is leaked relating to individuals is reportable, but an outage where individuals cannot access their personal data is not going to cause too much distress in most cases. However, such outages are commonly reported because companies would rather be safe than sorry.

"Companies should have a clear breach reporting procedure. They should outline which types of 'incident' are worth reporting and those that are not. This will help them make a decision within the allotted 72-hour time period, which isn’t a great deal of time to make an assessment. This is probably another reason why breaches get reported so quickly - in keeping with the 'better safe than sorry' approach. It is also important that these criteria are shared and adopted throughout the whole organisation by training staff and creating greater awareness. Understanding the products and services where potential risks of a fundamental breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, the companies need to look at and understand guidance from the regulator (which, in the UK, is the ICO) and the European Commission.

"I think the ICO is inundated enough, and not only in its breach reporting division. As it has first-hand knowledge of the types of breach that happen, it might want to expand on its guidance over time, with explicit examples of the things that they are rejecting and upholding."