43% of UK organisations have reported a data breach since GDPR

ICO screen numbers

According to a new report, almost half of UK organisations have had a data breach reported to the Information Commissioner’s Office (ICO) since the General Data Protection Regulation (GDPR) came into effect three years ago. The ICO is the UK’s data protection regulator.

The study of UK IT decision makers from enterprise organisations (1000+ employees) was carried out by Vanson Bourne on behalf of Apricorn[1].

Other findings include:

  • only 33% of organisations reported themselves to the ICO
  • 9% did not know whether a breach at their organisation had been reported to the ICO
  • the threat of a data breach is the concern that troubles UK IT leaders the most (57%) when thinking about data privacy regulations
  • 33% reported difficulties adequately identifying or locating data
  • 31% reported difficulties understanding data obligations
  • 25% reported difficulties adequately securing data.

Worryingly, this lack of cyber-resilience does not only make the chances of a data breach more likely, it will also make it difficult for organisations to respond to and recover from a cyber-attack.

Working from home is making data protection challenges tougher

According to the findings, remote/mobile working is also proving challenging.

  • 39% could not be certain that their data was adequately secured
  • 18% don’t have a good understanding of which data sets need to be encrypted
  • 15% have no control over where company data goes and where it is stored.

With changes to working patterns accelerated by the coronavirus pandemic, implementing a robust cybersecurity plan for WFH (working from home) must be a priority for all organisations. Especially as, according to another report, 74% of UK consumers would not shop with an organisation if they were aware that it had been the subject of a data breach or hack in the last 12-months[2].

How to improve data resilience & prevent data breaches

The Apricorn report does provide some key recommendations to help organisations enhance their data security. These are:

  • employee education
  • encrypting all corporate data as standard
  • mandatory offline back-ups.
  • gaining up-to-date visibility of all data.

At Keller Postman UK, we would also advise organisations to invest in cyber security insurance.

Why is cyber insurance necessary?

Until the GDPR, the impact of a data breach on business, while damaging, probably wasn’t too bad for big corporations due to the relatively low level of fines that could be issued. But, since the introduction of the GDPR, fines have skyrocketed.

For example, in 2020 the ICO fined British Airways £20 million, and Marriott £18.4 million for high-profile data breaches.

Despite the threat of fines, many UK organisations are still failing to insure themselves against data breaches. In fact, according to the Association of British Insurers (ABI), only 11% of UK companies are said to have specific cyber insurance.

But standard insurance policies do not cover cyber risk, so every business must now consider cyber insurance to take preventative measures in the face of hackers. Because if a group action data breach claim is made against a company, and it is found liable for data privacy errors, the consequences of not being covered could be catastrophic.

Contact Keller Postman UK to discuss a data breach claim.

In March 2024, our firm changed its name to KP Law. 

Share this article: