GDPR flag lock

Last week, the law firm of Pinsent Masons released its “GDPR, a Year In” report, which is pretty much exactly what it sounds like. One particular area of interest is a note about the U.K.'s Information Commissioner's Office and the fact that the organization was experiencing high levels of “over-reporting.”

So what exactly qualifies as over-reporting? The ICO considers it to be incidents reported by a data controller with the proviso that said incident may not have fallen under the GDPR's mandatory reporting requirements. In other words, better safe than sorry.

Stuart Davey, a senior associate with Pinsent Masons, doesn't even think that “over-reporting” is the right phrase.

“'Over-reporting' I think would suggest that people are sort of doing this wrong. I think everybody is taking a cautious approach to obligations of the GDPR. I think data controllers and probably the regulators as well are using this first year to bend in and understand how those regulations work,” Davey said.

Still, the numbers presented in the Pinsent Masons report would seem to indicate that people are reporting matters that they don't have to, or at least matters that the ICO has no attention of pursuing. During a period ranging from the GDPR's enactment in May 2018 to February 2019, the ICO has down closed 7,771 reported incidents as requiring “no further action.” That slice of the pie represents 66% of data breach incidents reported during that same window.

Even if they were made out of an abundance of caution, those closed reports carry risk of their own. Liz Harding, a shareholder at Polsinelli, said that notification where not necessary can expose organizations to greater regulatory scrutiny.

“This raises the risk of regulatory investigations beyond the breach. … For U.S.-based organizations which might have adopted a 'GDPR light' approach to compliance, this risk should be considered in the decision around whether to notify of a breach, particularly where the risk of harm to affected individuals is negligible,” Harding said.

Parameters dictating when a data controller is obligated to report a breach to the applicable supervising authority are laid out in Article 33 and Article 34 of the GDPR. The first requires an incident to be reported “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Article 34 triggers a report if it “is likely to result in a high risk to the rights and freedoms of natural persons.”

The problem is that determining when a breach is not obligated to be reported can be just as time consuming. Harding gave the example of an email compromise where only business contact information is impacted, which would typically not rise to the level of notification.

“However, before making any such determination, the organization needs to undertake forensic investigation to understand the nature of the data compromised. For example, was any personal information contained in the compromised emails, or were there any attachments which included personal information?” Harding said.

It doesn't help that there's a running clock on the proceedings. Under the GDPR, organizations that have experienced a breach of personal data have 72 hours to report what happened.

According to Davey, time flies during a cyber incident. Sometimes word of a potential breach takes a while to escalate through a company's chain of command, or there might be cyber insurance related issues to address. Regardless, once an organization actually gets around to determining where GDPR fits into the picture, a nuanced analysis of the situation may be difficult.

“We find that by the time it gets through to the legal team, it's not 72 hours at all, it's considerably shorter than that,” he said.

Davey thinks more regulatory guidance could help diminish instances of over-reporting. Sarah Pearce, a partner in the privacy and cybersecurity practice at Paul Hastings, also pointed out that organizations such as the European Data Protection Board have already issued guidance, although noted that it might have flown under most people's radars.

Even if the amount of unnecessary reporting does drop off, that won't necessarily diminish the number of notifications that authorities at the ICO are fielding at any given time.

“Also, what you've got to bear in mind is the fact that data breaches are becoming more prevalent, and more sophisticated so we may well see more breaches occurring that do merit the notification. So even if people become more familiar with the notification requirements, the fact is, the level of threats are on the rise,” Pearce said.