Search

How can we help?

Icon

GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website

About this article

Read, listen and watch our latest insights

art
  • 04 July 2025
  • Employment

Update: The ‘Employment Rights Bill Implementation Roadmap’

The Employment Rights Bill is a draft law which is poised to expand the rights of employees, signifying a major overhaul in employment law. The ERB has already been passed by the House of Commons and is currently at the ‘Report Stage’ in the House of Lords.

Pub
  • 03 July 2025
  • Corporate and M&A

Get your tech business market ready for sale

In our latest podcast, join Stuart Mullins and Nicky Goringe Larkin to learn how to maximise your tech business value and get your tech business market ready for sale.

art
  • 03 July 2025
  • Immigration

Major Changes to the Immigration Rules from 1 July 2025: What Employers and Visa Holders Need to Know

We outline the key updates, how they affect employers and visa holders—particularly those on the Skilled Worker and Global Business Mobility (GBM) routes—and how our team can assist you in staying compliant and ahead of policy changes.

art
  • 02 July 2025
  • Employment

Day One Rights: What the New UK Employment Bill Means for You and Your Workplace

Let’s unpack what’s changing in the UK Employments Rights Bill, and why it matters, and what both employees and employers should expect.

art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.

art
  • 26 June 2025
  • Employment

A shift in EHRC guidance on single sex spaces in the workplace

In a recent significant shift, the Equality and Human Rights Commission (“the EHRC”) has quietly amended its guidance on single sex spaces in the workplace.