GDPR – setting the record straight on data breach reporting

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Elizabeth Denham, Information Commissioner.

GDPR-Myths-smashed-blogOur series of blogs continues to sort the fact from the fiction by busting some of the myths around the General Data Protection Regulation (GDPR).

New requirements to report serious breaches of personal data are high up on the list of issues we need to address.

Misleading press stories have claimed that all breaches will need to be reported to the Information Commissioner’s Office and customers alike; others say all details of the breach need to be known straight away and some say there’ll be huge fines for failing to report.

With nine months to go until GDPR comes into effect, we recognise that businesses and organisations are concerned. This latest blog challenges a few of the myths that have sprung up around data breach reporting.

Myth #5

All personal data breaches will need to be reported to the ICO.


It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.

So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulation (PECR) – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be new requirement for many.

These new reporting requirements will mean some changes to the way businesses, organisations and even the ICO identify, handle and respond to personal data breaches.

The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved.

Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

We’ve provided some initial guidance in our GDPR overviews that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.

Myth #6

All details need to be provided as soon as a personal data breach occurs.


Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.

Myth #7

If you don’t report in time a fine will always be issued and the fines will be huge.


As we said in our earlier blog fines under the GDPR will be proportionate and not issued in the case of every infringement.

Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available.

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.

Tell it all, tell it fast, tell the truth.

Myth #8

Data breach reporting is all about punishing organisations.


Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.

The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.

We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Data breach reporting makes sense under the new legislation which is focused on giving consumers more control over their data and increasing the accountability of organisations. It’s also not unusual – almost all States in the US, some Canadian jurisdictions, and Australia have successfully tightened breach reporting as part of their legal framework.

We’re currently working alongside other EU data protection authorities as part of the Article 29 Working Party to produce guidance that will set out when organisations should be reporting, and the steps they can take to help meet their obligations under the new data breach reporting requirement. There are already some examples and explanation in our GDPR overview.

You should be preparing now by ensuring you have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines.

Over the coming months we’ll be gearing up for the changes by introducing a new phone reporting service to enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. It will sit alongside a web reporting form and provide organisations with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice.

Just to be absolutely clear – up until 25 May 2018 all personal data breaches will be assessed under the current Data Protection Act.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , , , . Bookmark the permalink.

46 Responses to GDPR – setting the record straight on data breach reporting

  1. nomadsquire says:

    Another most welcomed, excellent, myth-busting blog from the ICO – although I am surprised that the ICO did not mention Article 34 (in connection to notifying data subjects of breaches), that “he communication to the data subject … not be required if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.” It strikes me that the blog is an excellent opportunity to suggest easy, inexpensive measures like encryption are a really good approach to take to reduce the amount of effort required in the event of a breach

  2. Derek Mann says:

    It’s encouraging that helpful clarifications are coming from the ICO in this manner. The message needs to be that this is a good thing to comply with as it is doing right by the ordinary citizen, who are at the heart of this legislation. Sanctions are for organisations who play fast and loose with data for their own purpose and profit.

    Organisations that demonstrate a commitment to comply should be encouraged on their way not penalised out of business.

  3. These blog posts are great setting the records straight and helping people understand what is needed. Might you be able to do a post on B2B marketing at some point too please, ie rules around contacting someone who is personally identifiable via their business email as opposed to info@ or support@… There are an awful lot of people in marketing especially getting very worried about the dos and don’ts. Thanks

    • Hi, I actually raised this question as a submission on this ICO site, was allocated a case response email but have Never had a response !
      My belief is that the business email addresses are owned by the organisation / company and are Not personal data as they do not transfer with an individual if a person changes employment.
      Hopefully ICO will issue a clear statement very soon.

      • Derek Mann says:

        Under GDPR data is any personally identifiable information that can identify a natural living person. Companies/ organisations are defined as ‘legal’ persons, therefore data which relates to the company only is not covered by GDPR

      • Following the post above, I have now had a reply to the Case by ICO.
        They have stated the following:

        “If a business email address includes the name of individual it can be considered personal data. It would identify them as an individual i.e

        Therefore any email address with an individual’s name listed within it in this way must be handled under DPA legislation, and the GDPR as of May next year.”

        On the ICO interpretation, all but very generic email addresses will be included.

        Hopefully this will add to the clarification for everyone.

      • Chris says:

        At the moment under PECR this is a rather large loophole, rightly to wrongly people do use their business email addresses for pseudo personal purposes, particularly as we have a policy of blocking webmail for equally valid reason like blocking unauthorised data egress methods. More problematically at the moment is the situation with work mobiles where we will port some senior managers and certainly directors personal mobile numbers over and when they leave allow them to port the number out again off our corporate contract as part of their employment terms. People don’t want to be carrying around two devices, technically at the moment these are corporate subscriber devices but used as personal ones.

        Certainly I would like to see a clear statement basically only allowing unsolicited communications to generic addresses such as sales@ info@ location@ type addresses and published main switchboard type numbers and prohibiting calls to DDIs and mobile numbers.

        I can’t really see it can be argued that firstname.lastname@ or a mobile number or persons DDI don’t meet the definition of being identifiable to a natural individual… after all an IP address is potentially deemed PII which may only be valid for the duration of a connection session before it is changed.

      • Ian says:

        It doesn’t matter who “owns” or indeed controls the information, what matters is if it can be used to identify an individual, be it personal e-mail address, corporate e-mail address, flight number, meeting register, GPS co-ordinates, etc.

        To that end info@ and support@ I’d expect to be safe as they are essentially anonymous (although at a stretch one could argue that along with other information you may come into possession of even these could be used to identify someone, for example if you know a company only employs one person in their support department).

        Just my personal interpretation though!

  4. Hopefully, the forthcoming Data Protection Bill will provide data controllers (and regulators) with more guidance on what the term “risks to people’s rights and freedoms” actually means. The Bill must avoid psychobabble and gobbledygook (even if a phrase is copied straight from the GDPR) and use terms that ordinary people, like my mum, can understand.

    • Chad Colby-Blake says:

      I picked up on that. More practical elements would be welcomed as to examples of what a ‘risk’ to someone’s rights and freedoms might constitute. Does leaking a name and telephone number of one, or 50 people, constitute a risk their rights and freedoms? (especially when so many companies with whom I don’t interact seem to know mine already). Is there any agreed Pan-European guidance on this out there, yet?

    • Nailah Ukaidi says:

      I agree, the Bill provides us with an opportunity to clarify much of the ambiguity and gaps within the current DPA and to support business towards achieving and demonstrating accountability in practical but measurable ways.

  5. Karl Fontanari says:

    I have suggested previously they should consider setting up a knowledge base of all the questions they must receive and formulate a structure to answer these on-site so anyone can then get self-help in order to dispel a lot of the myths and misinformation, as well as reducing the burden of activity on themselves, surely this must make sense?

  6. Richard Selvidge says:

    I agree with Karl. A Q & A portal showing all the questions asked with responses would be really valuable asset and enable sharing of best practice very quickly

  7. Could all the blogs go on to a fact sheet perhaps?

  8. Steve Harwood says:

    Article 33 states that a breach must be reported ‘unless it is unlikely to result in a risk to the rights and freedoms of natural persons’ – NOT as stated in this blog if it is ‘likely’ to result in such a risk.

    Just because something is not ‘likely’ does not necessarily mean it is ‘unlikely’ – ‘likeliness’, or probability is a continuum and I don’t believe that likely/unlikely is a 50% probability split as suggested by this blog. IMO ‘unlikely’ is something less than 20% probability whereas ‘likely’ is perhaps more than 75% probable.

    • Chris Elwell-Sutton says:

      Yes. great point. That was my reading of the Regulation. The assumption is that the breach is notifiable unless the data controller satisfies itself that the breach is unlikely to pose such a risk. Perhaps what looks like a more lenient approach to regulatory reporting will be reflected in the Data Protection Bill?

  9. Could you please comment on this article in today’s Insurance Times which seems to be greatly over spun, it states GDPR will cost the insurance industry £100 million:

  10. Pingback: Best practice GDPR will reduce security breaches - ProjectMetrics Ltd

  11. Anonymous says:

    given the equifax hack 4% of turnover (3.1 billion) seems like peanuts what is that per customer

  12. Pingback: GDPR – do you know fact from fiction? (ICO 2017) - Garbutt & Elliott

  13. Pingback: ICO: GDPR – setting the record straight on data breach reporting – NACFB Compliance Services

  14. Alex says:

    Another good blog – But I would add to
    Tell it all, tell it fast, tell the truth
    …but above all tell it securely!

  15. Pingback: GDPR: setting the record straight on data breach reporting « Data Protection News

  16. Anonymous says:

    This article focuses on data breaches. Fines can also be levied for administrative breaches where no data loss occurs.

    Also, in addition to fines for data breaches and administrative breaches, GDPR allows for compensation claims by data subjects for ‘distress’ where no actual harm or loss occurred.

  17. Am I the only one that can’t find the blog for myths 2,3 and 4?

  18. With only 8 months to go there is still a lot of confusion about GDPR. The ICO cannot assume that a data breach is acceptable depending on the severity of the breach and the data that has been stolen. I consider any personal data to be private and as such be kept securely by those I have given permission to use it. If any of that data escapes in to the wild then I for one, no matter how insignificant, would like to know that this has happened so that I can make the correct changes and reduce the risk to myself in the future. The ICO has to react to every single breach irrespective of the size and severity. Our personal data is sacrosanct.

  19. JC Candanedo says:

    Hi, I am a London based freelance Photographer who uses mailing lists to send updates on my work to potential clients based both in the UK and the EU. This practice is standard practice in the industry. I understand that communications that are B2B are not part of the scope of this directive, but as a freelancer/sole trader, are my communications with other freelancers/sole traders considered B2B? What about between a freelancer/sole trader and a company? Is that B2B? And is that in the scope of this new directive? Thanks!

  20. Pingback: GDPR is an opportunity for your organisation | Local Public Service Communications

  21. minidvr says:

    It is interesting that the concept of consent is based on the actual record of consent for personal data to be shared is recorded and retained forever?

    What about historic consents?

    Will those consents, which may no longer be recorded, given the tendency towards deleting records permanently after a given period of time, be valid, or will organisations need to seek a fresh consent for data sharing, once the new legislation is in place?

  22. Gary Hudson says:

    Great to see the ICO separating fact from fiction, GDPR legislation will drive behavior, so as we go forward the wild west will be tamed.

  23. Data Vault says:

    Some really great information here, very well put together – thanks

  24. Pingback: Reporting a data breach under the new EU GDPR - Goldstein Legal

  25. Pingback: What is GDPR? | Learn about the General Data Protection Regulation..

  26. Pingback: 10 of the most important cyber security articles of 2017 | CYBSAFE | Resource Centre

  27. Pingback: GDPR is not Y2K | ICO Blog

  28. Pingback: Goodwill, hope, and other positive GDPR messages |

  29. Pingback: GDPR is not Y2K - GDPR Insight

Leave a Reply