Search

How can we help?

Icon

GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website

Author profile

About this article

Read, listen and watch our latest insights

art
  • 16 July 2026
  • Corporate and M&A

EMIs – The basics

Discover the essentials of Enterprise Management Incentives (EMIs), an HMRC-approved employee share scheme offering tax advantages. Learn how EMIs incentivise staff, eligibility requirements, and how Clarkslegal can help tailor a scheme for you.

Pub
  • 15 July 2026
  • Litigation and dispute resolution

ICC Arbitration Rules 2026 overhaul: The end of Terms of Reference and future trends – Episode 3

In this final episode, Jack Hobbs (Clarkslegal) and Christopher Howitt (Three Stone) discuss the impact of the ICC Arbitration Rules 2026 overhaul, focusing on the end of Terms of Reference. Hear expert insights and practical tips for adapting to the new rules.

art
  • 15 July 2026
  • Employment

New guidance on interim relief: More applications, same high threshold

In certain limited unfair dismissal claims (such as those for automatic unfair dismissal relating to a protected disclosure) claimants can apply for interim relief. This is an emergency measure which essentially prevents a dismissal from taking effect until the claim has been heard.

Pub
  • 09 July 2026
  • Litigation and dispute resolution

The Arbitration Act 2025 – Factsheet

This factsheet outlines the major reforms and key developments introduced by the Arbitration Act 2025, including updates on summary disposal, jurisdictional challenges, emergency arbitrators, arbitrator disclosure duties, and governing law in arbitration proceedings.

art
  • 09 July 2026
  • Immigration

Right to Work Checks are changing from 1 October 2026: Is your business ready?

The Home Office’s new rules, effective 1 October 2026, will overhaul right to work checks and raise the risk of civil penalties for UK businesses.

art
  • 08 July 2026
  • Privacy and Data Protection

ICO prosecutes employee under the Data Protection Act for forwarding client data to his personal email address

The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses.