Search

How can we help?

Icon

Breaches of personal data – notification under UK GDPR

The European Data Protection Board has opened a public consultation in relation to one of its guidelines on personal data breach notification under the GDPR. Although the UK has left the EU, the ICO has confirmed that these guidelines continue to be relevant to the UK data protection regime.
The above guideline is quite specific, relating to breach notification across member states, however, it presents a good opportunity for us to remind organisations of breach obligations more generally.

Reporting timeline and fines

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach. In some cases, organisations must also inform the individuals whose personal data is affected.
Failing to notify the ICO of all notifiable breaches can result in a fine of up to £8.7 million or 2 per cent of an organisation’s global turnover. The ICO’s other corrective powers can also be combined with the fine.

Notification to the ICO

Notification to the ICO must be made where a personal data breach is likely to result in a risk to individuals’ rights and freedoms. To assess whether this is the case, organisations should consider the specific circumstances of the breach and its potential impact. If an organisation decides against reporting the breach, it should document this and retain any relevant information it used to arrive at its decision that there is no risk to individuals’ rights and freedoms.
Information to include in a breach notification to the ICO:

  • the details of the personal data breach, such as the type of personal data involved as well as the number of individuals affected;
  •  a description of the likely consequences of the personal data breach;
  • a description of actions that are (or will be) taken to deal with the personal data breach, or to mitigate its negative effects;
  • the date and time the breach was detected;
  •  the date and time the breach actually occurred (or an estimate); and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained;

Because information must be provided without undue delay, it is an option for organisations to notify the ICO in stages if they do not have all of the details.

Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach.

Notification to individuals

Individuals must be notified of a breach where it is likely to result in a high risk to their rights and freedoms. This threshold is higher than reporting to the ICO, and so where individuals must be notified, the ICO will always have to be notified too. As with reporting to the ICO, individuals must be notified without undue delay.

Information to include in a breach notification to individuals:

  • the likely consequences of the personal data breach;
  • a description of the measures taken, or proposed to be taken, to deal with the breach including actions taken to mitigate its effects; and
  • the data protection officer’s name and contact details, or some other point of contact where more information can be obtained.

If there are any steps which the individuals can themselves take to mitigate the impact of the breach, organisations should also communicate this to them. This may include, for example, changing passwords.

Other notifications

In a major cyber incident, the ICO recommends considering whether this should be reported to the National Cyber Security Centre (NCSC). The NCSC responds to cyber security incidents to reduce the harm they cause to organisations. Showing that the help of the NCSC has been sought may be an important feature of breach handling. However, it is not an alternative to reporting the breach to the ICO; the ICO must be notified without undue delay.
Organisations may also wish to report the incident to Action Fraud (or Police Scotland, if the organisation is located in Scotland), if the incident could have a high risk of individuals being affected by fraud.

Unsure of whether a breach is notifiable?

Not every breach has to be reported to the ICO. The ICO has a self-assessment tool on its website to assist organisations in determining whether a breach poses a risk to people’s rights and freedoms and should therefore be reported. The self-assessment takes five minutes to complete.

If you need any advice on breaches of personal data, please do not hesitate to contact our data breach solicitors who will be happy to assist.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.

art
  • 14 August 2024
  • Privacy and Data Protection

Data protection audit – what you need to know

A data protection audit is the process of auditing all of your data protection processes and procedures to understand your current levels of compliance and identify any areas for improvement.

art
  • 05 August 2024
  • Employment

AI and Recruitment

To assist employers who are using, or considering the use of, AI in recruitment, we have put together a summary of the key risks that employers should be aware of.