author photo
By Bruce Sussman
Wed | Aug 1, 2018 | 10:35 AM PDT

Self-reported breaches are up an incredible 400% during the first full month with GDPR in effect.

Here is the comparison, based on organizations reporting a breach to the UK's Information Commissioner's Office (ICO). 


  • March and April 2018 (pre-GDPR): about 400
  • May 2018 (GDPR began on May 25): about 700
  • June 2018: (first full month of GDPR): about 1,750

Attorney Anna Flanagan of Pinsent Masons says the increase represents a few different things.

First of all, the increased awareness around GDPR spurred an increase; secondly, many organizations have formalized their notification programs for the first time; and third, the data is skewed by over-reporting.

"The ICO identified a number of interesting trends... it has noticed an increase in 'over-reporting', where controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don't meet the threshold for notification. Data controllers should focus on maintaining their own internal record of data breaches that do not meet the notification threshold, with their reasoning as to why."

This is a reminder, for all of us, to look at data with a critical eye. And it's worth checking to see if the next "breaches way up" story includes these over-reported breach numbers from the implementation of GDPR.