Out of 11,468 self-reported data breaches (just 0.25 percent) investigated by the ICO between May 25, 2018 and March 2019, only 29 have led to a fine. However many of the fines were issued for breaches that had occurred before the GDPR came into effect.
This information was summarised by research conducted by security platform Digi.me. They have also found that since the effective date of the GDPR data subjects have raised 37,798 data protection concerns. Additionally the research showed that the sectors that have been the cause of data breach investigations were the health and education sectors.
On this issue, Julian Ranger, founder of Digi.me says:
“There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.
“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organisation that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”