GDPR – setting the record straight on data breach reporting

08 September 2017

The Information Commissioner’s Office (ICO) has written a series of blogs aiming to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).

The first two blogs covered the myths surrounding new fining powers and the issue of consent; the third one talked about another widely held misconception, that the new regime is an onerous imposition of unnecessary and costly red tape. And the latest discusses the new requirements to report serious breaches of personal data.

The ICO has said that misleading press stories have claimed that all breaches will need to be reported to the Information Commissioner’s Office and customers alike; others say all details of the breach need to be known straight away and some say there’ll be huge fines for failing to report.

With nine months to go until GDPR comes into effect, the ICO recognise that businesses and organisations are concerned.

The ICO says it will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulation (PECR) – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be new requirement for many.

These new reporting requirements will mean some changes to the way businesses, organisations and even the ICO identify, handle and respond to personal data breaches. The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved.

Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

The ICO has provided some initial guidance in our GDPR overviews that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.

You can read the three previous blogs from the ICO through the links below: