Skip to main content
Marsh logo

Article

UK personal data breaches: Emerging trends in cases reported to the ICO

While the 2020/2021 report by the ICO showed a modest decline in reported personal data breaches, deeper analysis of ICO data since the GDPR came into force suggests several emerging trends.

03/10/2021 · 10 minute read

While this year’s annual report by the Information Commissioner’s Office (ICO) showed a modest decline in reported personal data breaches, deeper analysis of ICO data since the General Data Protection Regulation (GDPR) came into force suggests several emerging trends.

Recent decline in reported personal data breaches

The reporting of personal data breaches jumped dramatically after the GDPR came into force in May 2018. In 2017/2018, the prior reporting year, the number of breaches notified to the ICO was 3,311. This figure quadrupled to 13,840 the following year, as notifications to the ICO became mandatory for breaches that result in a risk to the affected data subjects’ rights and freedoms. 

However, there has since been a gentle decline in the number of reported breaches, with the ICO notified of 9,532 incidents in 2020/2021. Various reasons are likely to have contributed to this drop. First, as the ICO itself has commented, many organisations over-reported data breaches in the first year after the GDPR entered into force, despite the new notification thresholds not being met. More recently, the ICO stated that it has received fewer reports during the last year owing to the pandemic, although it has not explained precisely why this should be the case. 

While the ICO’s guidance at the outset of the pandemic acknowledged that many organisations might have to divert resources in order to handle the crisis, it also made clear that personal data breaches should continue to be notified where appropriate. Given the ICO's comments on the drop in notified data breaches during the last year, the number of reported breaches may be expected to again rise slightly after the end of the pandemic.

One in four cases investigated or results in informal action by the ICO

The vast majority of reported breaches do not result in further action from the ICO (see below). Only 0.1% of cases, or fewer, result in a lower tier fine. The proportion of incidents that are closed after the ICO takes informal action, such as agreeing an improvement plan with the data controller in question, has dropped from 17.6% in 2018/2019 to 3.9% in 2020/2021. This perhaps reflects a gradual evolution and progress of organisations’ data protection measures and procedures following the passing of the GDPR.

However, in its 2020/2021 report, the ICO also confirmed how many times it opened an investigation. During that year, an investigation was commenced in 21.6% of cases. Even when the regulator ultimately decides to not take further action, the investigation process can be intrusive for data controllers and sometimes lasts a number of months, with prompt and detailed responses to the ICO required, if the matter is to not be escalated.  

Prior to the pandemic, the ICO embarked on a recruitment drive to help handle the increased number of cases since the start of the mandatory reporting regime. Therefore, going forward, it may have additional capacity to expand its caseload of investigations. With one in four breaches already resulting in either an investigation or informal action from the ICO, the organisations best equipped to handle the regulator’s queries will be the ones able to call upon the assistance of specialist data privacy lawyers where necessary, such as those available through cyber insurance.

Sectors most impacted by data breaches

The main sectors affected by UK data breaches have remained generally constant over the last few years. Health and social care account for almost 20% of reported breaches, while education makes up around 14% of incidents. Retail and manufacturing has experienced a marked increase from over 2% in 2018/2019 to almost 11% last year. Finance has remained relatively steady, most recently contributing to over 10% of breaches, while the legal sector has averaged almost 8%.

These five areas, which the ICO observed handle large volumes of personal data, now account for over 60% of reported personal data breaches in the UK. The ICO further noted a strong correlation between the number of reports and the sensitivity of the data. However, it also identified a link between notifications and well-developed reporting processes of data controllers.

The above breakdown broadly matches the same sectors that purchase higher limits in their cyber insurance programmes. It is anticipated that the core areas of activity that rely heavily on the processing of personal data, such as health, retail, finance, and the legal industry, will continue to contribute the majority of data breaches. 

The sophisticated utilisation of large volumes of personal data is fast becoming a key differentiator in successful business models in these sectors. Organisations operating in this space will increasingly benefit from the support available from cyber insurance following a personal data breach, in particular external legal assistance on notification obligations and subsequent regulatory investigations and third party claims.

Meet the author

Neal Pal

Neal Pal

Senior Product Development Specialist

  • United Kingdom