ICO shares insight on data breach reporting requirements

Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

ICO shares insight on data breach reporting requirements

The number of personal data breaches received by the Information Commissioner's Office (ICO) has more than quadrupled since the EU General Data Protection Regulation (GDPR) came into force, it has said.23 Jul 2018

The ICO said during a recent webinar that the number of breaches reported in June 2018 was around 1,750; more than four times the number reported in March and April 2018 and considerably more than the around 700 reported in May.

The increase reflects new data breach notification requirements under GDPR, as well as organisations getting their reporting procedures organised in preparation for the new regime, according to data protection expert Anna Flanagan of Pinsent Masons, the law firm behind Out-Law.com, who attended the webinar.

"June was the first full month with the GDPR in place, so it is unsurprising to see an increase in the number of personal data breaches reported to the ICO," she said.

"The ICO identified a number of interesting trends. Again, unsurprisingly, it has noticed an increase in 'over-reporting', where controllers are so concerned about not complying with the notification requirements that they are notifying the ICO of breaches that don't meet the threshold for notification. Data controllers should focus on maintaining their own internal record of data breaches that do not meet the notification threshold, with their reasoning as to why," she said.

"Incomplete reporting was noted by the ICO as being a problematic issue. The ICO noted that it has received a number of reports essentially setting out that the data controller is unaware of what has happened, including whether or not that there has even been a data breach; and that this lack of understanding into whether or not a breach has even occurred is not compliant with the legislation and not an appropriate notification to make," she said.

Article 33 of GDPR imposed a new general requirement on data controllers to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". Previously, only some organisations, including telecoms companies and financial firms, were obliged to report certain data breaches they experienced to the regulators.

An important part of GDPR compliance for businesses is therefore to ensure that there is a plan in place for the data protection officer or data protection lead to quickly ascertain whether a data breach has taken place and whether notification is required, said Flanagan

Businesses that fail to comply with the reporting requirements face potential fines of up to €10 million, or 2% of their annual global turnover, whichever is the highest.