Search

How can we help?

Icon

Breaches of personal data – notification under UK GDPR

The European Data Protection Board has opened a public consultation in relation to one of its guidelines on personal data breach notification under the GDPR. Although the UK has left the EU, the ICO has confirmed that these guidelines continue to be relevant to the UK data protection regime.
The above guideline is quite specific, relating to breach notification across member states, however, it presents a good opportunity for us to remind organisations of breach obligations more generally.

Reporting timeline and fines

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach. In some cases, organisations must also inform the individuals whose personal data is affected.
Failing to notify the ICO of all notifiable breaches can result in a fine of up to £8.7 million or 2 per cent of an organisation’s global turnover. The ICO’s other corrective powers can also be combined with the fine.

Notification to the ICO

Notification to the ICO must be made where a personal data breach is likely to result in a risk to individuals’ rights and freedoms. To assess whether this is the case, organisations should consider the specific circumstances of the breach and its potential impact. If an organisation decides against reporting the breach, it should document this and retain any relevant information it used to arrive at its decision that there is no risk to individuals’ rights and freedoms.
Information to include in a breach notification to the ICO:

  • the details of the personal data breach, such as the type of personal data involved as well as the number of individuals affected;
  •  a description of the likely consequences of the personal data breach;
  • a description of actions that are (or will be) taken to deal with the personal data breach, or to mitigate its negative effects;
  • the date and time the breach was detected;
  •  the date and time the breach actually occurred (or an estimate); and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained;

Because information must be provided without undue delay, it is an option for organisations to notify the ICO in stages if they do not have all of the details.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach.

Notification to individuals

Individuals must be notified of a breach where it is likely to result in a high risk to their rights and freedoms. This threshold is higher than reporting to the ICO, and so where individuals must be notified, the ICO will always have to be notified too. As with reporting to the ICO, individuals must be notified without undue delay.

Information to include in a breach notification to individuals:

  • the likely consequences of the personal data breach;
  • a description of the measures taken, or proposed to be taken, to deal with the breach including actions taken to mitigate its effects; and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained.

If there are any steps which the individuals can themselves take to mitigate the impact of the breach, organisations should also communicate this to them. This may include, for example, changing passwords.

Other notifications

In a major cyber incident, the ICO recommends considering whether this should be reported to the National Cyber Security Centre (NCSC). The NCSC responds to cyber security incidents to reduce the harm they cause to organisations. Showing that the help of the NCSC has been sought may be an important feature of breach handling. However, it is not an alternative to reporting the breach to the ICO; the ICO must be notified without undue delay.
Organisations may also wish to report the incident to Action Fraud (or Police Scotland, if the organisation is located in Scotland), if the incident could have a high risk of individuals being affected by fraud.

Unsure of whether a breach is notifiable?

Not every breach has to be reported to the ICO. The ICO has a self-assessment tool on its website to assist organisations in determining whether a breach poses a risk to people’s rights and freedoms and should therefore be reported. The self-assessment takes five minutes to complete.

If you need any advice on breaches of personal data, please do not hesitate to contact our data breach solicitors who will be happy to assist.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights

Pub
  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

art
  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

art
  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

art
  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

art
  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.

Pub
  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.