Search

How can we help?

Icon

GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Louise Keenan

Associate

View profile

+44 118 960 4614

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website

Louise Keenan

Associate

View profile

+44 118 960 4614

About this article

Read, listen and watch our latest insights

Pub
  • 21 November 2023
  • Privacy and Data Protection

Privacy matters: How the 8 data subject rights protect personal data

In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.

Pub
  • 21 November 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

art
  • 17 November 2023
  • Corporate and M&A

Should AI delete humans out of the legal sphere?

AI could potentially streamline routine legal tasks. However, there are consequences to consider when it comes to AI in the legal sphere.

art
  • 17 November 2023
  • Immigration

Controversial Immigration Health Surcharge Fee Increase and Budgetary Concerns

The proposed increase to the IHS has raised concerns, especially among businesses who financially support their sponsored workers’ visa applications.

Pub
  • 16 November 2023
  • Employment

TUPE Podcast Series: Service Provision Changes – Single specific events or tasks of short duration

In this fourth podcast in our TUPE Podcast Series, Amanda Glover will be looking at the second of the three conditions required for a service provision change transfer..

art
  • 16 November 2023
  • Commercial Real Estate

Navigating Telecom agreements: landlords beware

A telecommunications agreement, or wayleave agreement, is a contract between a service provider and a landowner which allows the service operator access to install infrastructure on the privately owned land, in return for wayleave fees.