Most ICO data breach reports late and incomplete prior to full GDPR implementation, FoI request data reveals, raising doubts about breach prevention, detection and response capabilities.
UK businesses routinely delayed data breach disclosure to the Information Commissioner’s Office (ICO) in the year ahead of the full implementation of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018.
This was the main finding of a freedom of information (FoI) request to the Information Commissioner’s Office about 182 data breach reports triaged by the ICO in the financial year to April 2018 by threat detection and response firm Redscan.
Analysis of the data shows that, on average, it took companies 60 days (two months) to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days (44 months).
Businesses waited three weeks on average after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The data showed that less than a quarter of businesses would be compliant with current GDPR requirements, which demand that organisations report a breach within 72 hours of discovery.
