GDPR – setting the record straight on data breach reporting

By Elizabeth Denham, Information Commissioner.

GDPR-Myths-smashed-blogOur series of blogs continues to sort the fact from the fiction by busting some of the myths around the General Data Protection Regulation (GDPR).

New requirements to report serious breaches of personal data are high up on the list of issues we need to address.

Misleading press stories have claimed that all breaches will need to be reported to the Information Commissioner’s Office and customers alike; others say all details of the breach need to be known straight away and some say there’ll be huge fines for failing to report.

With nine months to go until GDPR comes into effect, we recognise that businesses and organisations are concerned. This latest blog challenges a few of the myths that have sprung up around data breach reporting.

Myth #5

All personal data breaches will need to be reported to the ICO.

Fact:

It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.

So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulation (PECR) – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be new requirement for many.

These new reporting requirements will mean some changes to the way businesses, organisations and even the ICO identify, handle and respond to personal data breaches.

The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved.

Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

We’ve provided some initial guidance in our GDPR overviews that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.

Myth #6

All details need to be provided as soon as a personal data breach occurs.

Fact:

Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.

Myth #7

If you don’t report in time a fine will always be issued and the fines will be huge.

Fact:

As we said in our earlier blog fines under the GDPR will be proportionate and not issued in the case of every infringement.

Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available.

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.

Tell it all, tell it fast, tell the truth.

Myth #8

Data breach reporting is all about punishing organisations.

Fact:

Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.

The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.

We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Data breach reporting makes sense under the new legislation which is focused on giving consumers more control over their data and increasing the accountability of organisations. It’s also not unusual – almost all States in the US, some Canadian jurisdictions, and Australia have successfully tightened breach reporting as part of their legal framework.

We’re currently working alongside other EU data protection authorities as part of the Article 29 Working Party to produce guidance that will set out when organisations should be reporting, and the steps they can take to help meet their obligations under the new data breach reporting requirement. There are already some examples and explanation in our GDPR overview.

You should be preparing now by ensuring you have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines.

Over the coming months we’ll be gearing up for the changes by introducing a new phone reporting service to enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. It will sit alongside a web reporting form and provide organisations with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice.

Just to be absolutely clear – up until 25 May 2018 all personal data breaches will be assessed under the current Data Protection Act.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , , , . Bookmark the permalink.

22 Responses to GDPR – setting the record straight on data breach reporting

  1. nomadsquire says:

    Another most welcomed, excellent, myth-busting blog from the ICO – although I am surprised that the ICO did not mention Article 34 (in connection to notifying data subjects of breaches), that “he communication to the data subject … not be required if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.” It strikes me that the blog is an excellent opportunity to suggest easy, inexpensive measures like encryption are a really good approach to take to reduce the amount of effort required in the event of a breach

  2. Derek Mann says:

    It’s encouraging that helpful clarifications are coming from the ICO in this manner. The message needs to be that this is a good thing to comply with as it is doing right by the ordinary citizen, who are at the heart of this legislation. Sanctions are for organisations who play fast and loose with data for their own purpose and profit.

    Organisations that demonstrate a commitment to comply should be encouraged on their way not penalised out of business.

  3. These blog posts are great setting the records straight and helping people understand what is needed. Might you be able to do a post on B2B marketing at some point too please, ie rules around contacting someone who is personally identifiable via their business email as opposed to info@ or support@… There are an awful lot of people in marketing especially getting very worried about the dos and don’ts. Thanks

    • Hi, I actually raised this question as a submission on this ICO site, was allocated a case response email but have Never had a response !
      My belief is that the business email addresses are owned by the organisation / company and are Not personal data as they do not transfer with an individual if a person changes employment.
      Hopefully ICO will issue a clear statement very soon.

      • Derek Mann says:

        Under GDPR data is any personally identifiable information that can identify a natural living person. Companies/ organisations are defined as ‘legal’ persons, therefore data which relates to the company only is not covered by GDPR

      • Chris says:

        At the moment under PECR this is a rather large loophole, rightly to wrongly people do use their business email addresses for pseudo personal purposes, particularly as we have a policy of blocking webmail for equally valid reason like blocking unauthorised data egress methods. More problematically at the moment is the situation with work mobiles where we will port some senior managers and certainly directors personal mobile numbers over and when they leave allow them to port the number out again off our corporate contract as part of their employment terms. People don’t want to be carrying around two devices, technically at the moment these are corporate subscriber devices but used as personal ones.

        Certainly I would like to see a clear statement basically only allowing unsolicited communications to generic addresses such as sales@ info@ location@ type addresses and published main switchboard type numbers and prohibiting calls to DDIs and mobile numbers.

        I can’t really see it can be argued that firstname.lastname@ or a mobile number or persons DDI don’t meet the definition of being identifiable to a natural individual… after all an IP address is potentially deemed PII which may only be valid for the duration of a connection session before it is changed.

  4. Hopefully, the forthcoming Data Protection Bill will provide data controllers (and regulators) with more guidance on what the term “risks to people’s rights and freedoms” actually means. The Bill must avoid psychobabble and gobbledygook (even if a phrase is copied straight from the GDPR) and use terms that ordinary people, like my mum, can understand.

    • Chad Colby-Blake says:

      I picked up on that. More practical elements would be welcomed as to examples of what a ‘risk’ to someone’s rights and freedoms might constitute. Does leaking a name and telephone number of one, or 50 people, constitute a risk their rights and freedoms? (especially when so many companies with whom I don’t interact seem to know mine already). Is there any agreed Pan-European guidance on this out there, yet?

  5. Karl Fontanari says:

    I have suggested previously they should consider setting up a knowledge base of all the questions they must receive and formulate a structure to answer these on-site so anyone can then get self-help in order to dispel a lot of the myths and misinformation, as well as reducing the burden of activity on themselves, surely this must make sense?

  6. Richard Selvidge says:

    I agree with Karl. A Q & A portal showing all the questions asked with responses would be really valuable asset and enable sharing of best practice very quickly

  7. Could all the blogs go on to a fact sheet perhaps?

  8. Steve Harwood says:

    Article 33 states that a breach must be reported ‘unless it is unlikely to result in a risk to the rights and freedoms of natural persons’ – NOT as stated in this blog if it is ‘likely’ to result in such a risk.

    Just because something is not ‘likely’ does not necessarily mean it is ‘unlikely’ – ‘likeliness’, or probability is a continuum and I don’t believe that likely/unlikely is a 50% probability split as suggested by this blog. IMO ‘unlikely’ is something less than 20% probability whereas ‘likely’ is perhaps more than 75% probable.

    • Chris Elwell-Sutton says:

      Yes. great point. That was my reading of the Regulation. The assumption is that the breach is notifiable unless the data controller satisfies itself that the breach is unlikely to pose such a risk. Perhaps what looks like a more lenient approach to regulatory reporting will be reflected in the Data Protection Bill?

  9. Pingback: Best practice GDPR will reduce security breaches - ProjectMetrics Ltd

  10. Anonymous says:

    given the equifax hack 4% of turnover (3.1 billion) seems like peanuts what is that per customer

  11. Pingback: GDPR – do you know fact from fiction? (ICO 2017) - Garbutt & Elliott

  12. Pingback: ICO: GDPR – setting the record straight on data breach reporting – NACFB Compliance Services

  13. Alex says:

    Another good blog – But I would add to
    Tell it all, tell it fast, tell the truth
    …but above all tell it securely!

  14. Pingback: GDPR: setting the record straight on data breach reporting « Data Protection News

  15. Anonymous says:

    This article focuses on data breaches. Fines can also be levied for administrative breaches where no data loss occurs.

    Also, in addition to fines for data breaches and administrative breaches, GDPR allows for compensation claims by data subjects for ‘distress’ where no actual harm or loss occurred.

  16. Am I the only one that can’t find the blog for myths 2,3 and 4?

Leave a Reply