Digi.me has revealed that only a minuscule percentage of data breach cases closed by the data protection regulator under General Data Protection Regulation (GDPR) have resulted in monetary penalties
The data, which was obtained by digi.me under the Freedom of Information Act, shows that 11,468 self-reported data breach cases were closed by the Information Commissioner’s Office (ICO) between the implementation of the GDPR on 25 May 2018 and the end of March 2019. Public records displayed on the ICO website show that during this period a total of 29 monetary penalties were issued by the regulator – a penalty rate of 0.25%.
The data also revealed that 37,798 data protection concerns have been raised by members of the public since 25 May 2018. This figure is nearly three times the number of actual data breach cases investigated by the ICO during this same period (12,854).
Julian Ranger, founder of digi.me, said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.”
Digi.me’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education, and finance. The sensitive nature of the data collected by these sectors will only heighten existing concerns about personal data usage.
Ranger continued: “Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”
An informed consent process, which is currently only available on the digi.me platform, allows users to privately share data with a third party (such as their bank). Users must grant their explicit permission before the data is shared and no data is transferred from their device to the third party without full consent – all data operations can happen inside an app or within a temporary virtual personal cloud that terminates when done. This process meets all regulatory requirements.