Search

How can we help?

Icon

Breaches of personal data – notification under UK GDPR

The European Data Protection Board has opened a public consultation in relation to one of its guidelines on personal data breach notification under the GDPR. Although the UK has left the EU, the ICO has confirmed that these guidelines continue to be relevant to the UK data protection regime.
The above guideline is quite specific, relating to breach notification across member states, however, it presents a good opportunity for us to remind organisations of breach obligations more generally.

Reporting timeline and fines

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach. In some cases, organisations must also inform the individuals whose personal data is affected.
Failing to notify the ICO of all notifiable breaches can result in a fine of up to £8.7 million or 2 per cent of an organisation’s global turnover. The ICO’s other corrective powers can also be combined with the fine.

Notification to the ICO

Notification to the ICO must be made where a personal data breach is likely to result in a risk to individuals’ rights and freedoms. To assess whether this is the case, organisations should consider the specific circumstances of the breach and its potential impact. If an organisation decides against reporting the breach, it should document this and retain any relevant information it used to arrive at its decision that there is no risk to individuals’ rights and freedoms.
Information to include in a breach notification to the ICO:

  • the details of the personal data breach, such as the type of personal data involved as well as the number of individuals affected;
  •  a description of the likely consequences of the personal data breach;
  • a description of actions that are (or will be) taken to deal with the personal data breach, or to mitigate its negative effects;
  • the date and time the breach was detected;
  •  the date and time the breach actually occurred (or an estimate); and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained;

Because information must be provided without undue delay, it is an option for organisations to notify the ICO in stages if they do not have all of the details.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach.

Notification to individuals

Individuals must be notified of a breach where it is likely to result in a high risk to their rights and freedoms. This threshold is higher than reporting to the ICO, and so where individuals must be notified, the ICO will always have to be notified too. As with reporting to the ICO, individuals must be notified without undue delay.

Information to include in a breach notification to individuals:

  • the likely consequences of the personal data breach;
  • a description of the measures taken, or proposed to be taken, to deal with the breach including actions taken to mitigate its effects; and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained.

If there are any steps which the individuals can themselves take to mitigate the impact of the breach, organisations should also communicate this to them. This may include, for example, changing passwords.

Other notifications

In a major cyber incident, the ICO recommends considering whether this should be reported to the National Cyber Security Centre (NCSC). The NCSC responds to cyber security incidents to reduce the harm they cause to organisations. Showing that the help of the NCSC has been sought may be an important feature of breach handling. However, it is not an alternative to reporting the breach to the ICO; the ICO must be notified without undue delay.
Organisations may also wish to report the incident to Action Fraud (or Police Scotland, if the organisation is located in Scotland), if the incident could have a high risk of individuals being affected by fraud.

Unsure of whether a breach is notifiable?

Not every breach has to be reported to the ICO. The ICO has a self-assessment tool on its website to assist organisations in determining whether a breach poses a risk to people’s rights and freedoms and should therefore be reported. The self-assessment takes five minutes to complete.

If you need any advice on breaches of personal data, please do not hesitate to contact a member of our data protection team who will be happy to assist.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights

art
  • 01 June 2023
  • Employment

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

Pub
  • 26 April 2023
  • Privacy and Data Protection

Data protection: What you need to know

Watch Melanie Pimenta and Jacob Montague for a quick round-up of what is personal data, conducting a data protection audit and reviewing policies and finally upcoming developments in data protection and AI regulation.

art
  • 12 April 2023
  • Privacy and Data Protection

TikTok is fined £12.7 million by the ICO for failing to safeguard children’s data

The popular social networking app TikTok, which allows users to record and share short videos, was fined £12.7 million on 4 April 2023 by the Information Commissioner’s Office (ICO) for breaching data protection laws.

art
  • 20 March 2023
  • Privacy and Data Protection

The ICO’s updated Guidance on AI and Data Protection: What is new?

Artificial Intelligence (AI) is a new technology and its laws and regulations, as well as guidance released on good practices in this area, are quickly developing.

Pub
  • 20 March 2023
  • Privacy and Data Protection

Data Subject Access Request: Advice for Employers

In this podcast Ciara Duggan and Oscar Poku members of the Data Protection team discuss what exactly a DSAR is, how one is made, and how companies should respond if they receive one.

art
  • 08 March 2023
  • Employment

International Women’s Day 2023 – Empowerment of all women and girls in technology

International Women’s Day celebrates women’s achievements and aims for a world free of bias, stereotypes and discrimination.