Many UK firms struggled to identify incidents, delayed reporting to the regulator and left out key details in the year prior to the GDPR, and could still be non-compliant today, according to new obtained by Redscan.

The managed services provider obtained its findings from Freedom of Information (FOI) data relating to 181 anonymized incidents reported to the Information Commissioner’s Office (ICO) in the financial year ending April 2018.

It took firms on average 60 days to identify they’d been a of a breach, and then another 21 days to report the incident. The longest a business took to identify a breach was 1320 days, and to report, 142 days.

The vast majority (93%) also left out key details in their reporting, such as the impact of the incident and their recovery processes.

That less than a quarter would have complied with the GDPR had it been in force then, Redscan estimated. The new law stipulates a strict 72-hour reporting window once a breach has been discovered.

Although the figures in many ways highlight exactly why the new legislation was brought in, Redscan argued that the GDPR is unlikely to have changed behaviors.

“Anyone who thinks that businesses are better geared to detect and respond to breaches since May 2018 is kidding themselves,” the firm’s director of , Mark Nicholls, told Infosecurity. “Despite greater time pressures and larger fines, most organizations still lack the security expertise and resources they need.”

While prior to the GDPR, firms needed to provide estimates for impact and recovery time, reporting requirements are now even more onerous, causing firms to struggle, he added.

“The information sought by the ICO goes way beyond the basics of recovery time and impact; businesses are now asked to provide estimates for the number of records affected and explain all measures being taken to mitigate possible adverse effects,” said Nicholls. “Businesses must also inform all individuals at risk, and to do that they need a full understanding of the scope of the breach.”

A report from DLA Piper in early February claimed there had been 9,000 breach reports to regulators since the GDPR was introduced, including ,600 in the UK, although there was no info on whether these came in late and/or with incomplete information.

Source link

No tags for this post.


Please enter your comment!
Please enter your name here