ICO Blog

GDPR – setting the record straight on data breach reporting

By Elizabeth Denham, Information Commissioner.

Our series of blogs continues to sort the fact from the fiction by busting some of the myths around the General Data Protection Regulation (GDPR).

New requirements to report serious breaches of personal data are high up on the list of issues we need to address.

Misleading press stories have claimed that all breaches will need to be reported to the Information Commissioner’s Office and customers alike; others say all details of the breach need to be known straight away and some say there’ll be huge fines for failing to report.

With nine months to go until GDPR comes into effect, we recognise that businesses and organisations are concerned. This latest blog challenges a few of the myths that have sprung up around data breach reporting.

Myth #5

All personal data breaches will need to be reported to the ICO.

Fact:

It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.

So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulation (PECR) – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be new requirement for many.

These new reporting requirements will mean some changes to the way businesses, organisations and even the ICO identify, handle and respond to personal data breaches.

The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved.

Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.

We’ve provided some initial guidance in our GDPR overviews that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.

Myth #6

All details need to be provided as soon as a personal data breach occurs.

Fact:

Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.

Myth #7

If you don’t report in time a fine will always be issued and the fines will be huge.

Fact:

As we said in our earlier blog fines under the GDPR will be proportionate and not issued in the case of every infringement.

Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available.

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.

Tell it all, tell it fast, tell the truth.

Myth #8

Data breach reporting is all about punishing organisations.

Fact:

Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.

The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.

We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Data breach reporting makes sense under the new legislation which is focused on giving consumers more control over their data and increasing the accountability of organisations. It’s also not unusual – almost all States in the US, some Canadian jurisdictions, and Australia have successfully tightened breach reporting as part of their legal framework.

We’re currently working alongside other EU data protection authorities as part of the Article 29 Working Party to produce guidance that will set out when organisations should be reporting, and the steps they can take to help meet their obligations under the new data breach reporting requirement. There are already some examples and explanation in our GDPR overview.

You should be preparing now by ensuring you have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines.

Over the coming months we’ll be gearing up for the changes by introducing a new phone reporting service to enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. It will sit alongside a web reporting form and provide organisations with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice.

Just to be absolutely clear – up until 25 May 2018 all personal data breaches will be assessed under the current Data Protection Act.

Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.