Search

How can we help?

Icon

GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website

Author profile

About this article

Read, listen and watch our latest insights

art
  • 15 September 2025
  • Immigration

Sharp rise in Sponsor Licence Revocations – What employers need to know

The Home Office has reported a record number of sponsor licence revocations over the past year, as part of its intensified efforts to crack down on abuse of the UK’s immigration system.

art
  • 10 September 2025
  • Commercial Real Estate

Trouble at the Table: The Challenges Facing the UK Hospitality Sector in the run up to Christmas 2025

The UK hospitality sector, long celebrated for its vibrancy and resilience, is facing a perfect storm of economic, operational, and structural challenges in 2025.

art
  • 09 September 2025
  • Commercial Real Estate

Le bail commercial anglais: quelques points essentiels à considérer

Typiquement, les baux commerciaux en Angleterre sont de court terme, d’une durée de 5 ou 10 ans, avec un loyer de marché et des ajustements du loyer périodiques en fonction de l’inflation ou d’autres facteurs. 

art
  • 09 September 2025
  • Corporate and M&A

The Failure to Prevent Fraud Offence – be prepared to avoid criminal liability

The failure to prevent fraud offence is a new corporate offence which has come into force on 1 September 2025.

art
  • 08 September 2025
  • Employment

Can employers still make changes to contracts after the Employment Rights Bill?

The short answer is yes but it will be much more difficult for employers following the introduction of the Employment Rights Bill because their ability to fairly dismiss employees who do not agree contractual changes is being restricted. 

art
  • 05 September 2025
  • Privacy and Data Protection

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).