Data breaches among charities doubles

The introduction of GDPR is seen as a key factor in a dramatic increase in the number of reports of data breaches to the Information Commissioners’ Office.

Joe Lepper | 4th Sep 18
Image shows concept of data breach with a unlocked padlock. Image credit:

The number of reports of data breaches among charities has doubled over the last two years, according to latest figures.

In 2017/18 there were 148 data security incidents referred to the Information Commissioners’ Office (ICO) by charitable and voluntary organisations – a 100% increase over two years.

The increase in the number of reports across all sectors over the past two years is 75% and the biggest hikes are among general businesses (215% increase) and education and childcare organisations (142% increase).

The sector with the most data breaches in 2017/18 is health, with 1,214 reports.

The figures have been collected by risk management firm Kroll via ICO data and Freedom of Information Act requests.

GDPR a key factor

According to Kroll, a key factor in the increase of reports is that organisations across all sectors have increased their transparency around data breaches ahead of May’s introduction of the General Data Protection Regulation (GDPR), which imposes a duty on organisations to report data breaches.

Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, expects to see a dramatic increase in reports over the coming year now that reporting is mandatory.

“Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK,” he said.

“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents.

“Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.”