ICO worried about firms’ ability to manage data breaches.

News | Data & Security Transformation


Britain’s data watchdog is worried about the ability of UK companies to prevent, detect and respond to data breaches.

An investigation into the response of firms prior to the introduction of GDPR in May 2018 showed it routinely took firms two months to realise they had been the victim of a breach with one firm going a staggering 1,320 days – four months – before they realised what had happened.


On average firms still waited another three weeks before reporting the breach to the Information Commissioner’s Office (ICO) while one waited 142 days. GDPR demands that firms report within 72 hours of discovery.


The best performers were firms in the legal and financial sectors, but finance companies still took an average of 37 days to identify a breach with legal firms being slightly faster at 25 days.


“The only way to look at things is that there are serious criminal elements hard at work on a daily basis trying to break down your defences and steal your data.”


High risk cases

An ICO spokesman said the implementation of GDPR had increased the number of reported breaches because the law now requires it in high risk cases. Since the start date in May of last year it has received more than 11,000 reports.


He added: “This is not just an administrative task. It speaks to a cornerstone of GDPR – accountability. Only by having strong data governance will organisations be able to properly report the details of a breach to us within 72 hours. Data breach reporting will encourage companies to invest in better security and data governance.”



The ICO is concerned that many firms don’t have the procedures, technology or personnel in place to detect breaches or report them in sufficient detail.


In a statement it revealed that 91% of incidents reported to them failed to include information like the impact of the breach on the business, the recovery process and dates.


Said Mike Wills: “Good cyber security doesn’t rely on just one thing. There are many layers to a good security policy, but strong password protection is one of the main lines of defence with all employees encouraged to use best practice to keep your data safe.”


Get serious

Assessing the potential problems Charlotte Riley of CSS said: “Data breaches are now a fact of life and firms of all shapes and sizes must get serious about how they intend to detect and deal with them.


“Having robust data protection procedures in place is only part of the battle. Staff must be aware of the need for constant vigilance and what they need to do if a breach is detected.


“They also need to be provided with the tools they need to do the job. Cyber security isn’t cheap, but compared to the potential threat to your business it’s good value for money.”



It’s important to be aware that hackers don’t work to a normal workday timetable. They don’t knock off at five and have every weekend off. In fact, they’re most likely to be working hardest when you’re not.


The ICO reveals that hackers disproportionately target businesses at the weekend and at all times of the day and night. Manning the defences against attack has become a 24/7 necessity.


Cybersecurity is complex and ever-changing. Data breaches are an everyday reality and if you haven’t already been hacked then you’re a target.


“You can’t stop an attack happening, but you can make every effort to minimised its effect on your business and deal with it promptly and efficiently. The alternative is not a nice thing to contemplate.”



Published: 24th July 2019
Area: Data & Security Transformation