The Information Commissioner's Office (ICO) has published its annual report into what the Commissioner describes as an "unprecedented year for the ICO".  Without a doubt it has been unprecedented year, particularly in respect of personal data breach reporting. 

The General Data Protection Regulation and the Data Protection Act 2018 came into force last year and introduced the requirement for organisations to report certain types of personal data breaches to the ICO. Unsurprisingly, the ICO has reported that the amount of personal data breaches that were reported to it in 2018/2019 was more than quadruple the amount of breaches that were reported to it in 2017/2018.  The ICO received a total of 13,840 personal data breaches in 2018/2019 - that's about 40 a day! 

But what was perhaps more interesting was the statistics the ICO reported regarding the outcome of the personal breach reports that have been made.  In more than 80% of cases no further action has been required by the data controller and in less than 1% of cases did the ICO take further action beyond requiring the data controller to take further action.  

This is hopefully a glimmer of hope for organisations recently frightened by the news of the ICO's intended £183m fine for British Airways (see our posts about this here and here). But businesses can't be complacent and, as the ICO observes, should continue to increase staff awareness to enable them to recognise personal data breaches and react appropriately.