Search

How can we help?

Icon

GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website

About this article

Read, listen and watch our latest insights

art
  • 13 February 2025
  • Public Procurement

Procurement Act 2023 – Coming into force on 24 February 2025

After a four-month delay from its original commencement date of 28 October 2024, the new Procurement Act 2023 is now due to come into force later this month on 24 February 2025.

art
  • 13 February 2025
  • Commercial Real Estate

What are restrictive covenants and how do they relate to the planning system?

Restrictive covenants on use can be one of the more problematic aspects of a property transaction. Even if the restrictive covenants do not affect one’s development plans for the land, they may be an issue for subsequent buyers or future lenders.

art
  • 13 February 2025
  • Immigration

Skilled Worker New Entrant Exemption – is it a good investment?

The “new entrant” exemption under the UK Skilled Worker Visa is a vital but often underappreciated element of the immigration system. It offers valuable benefits to both employers and employees.

art
  • 12 February 2025
  • Employment

Balancing the Equality Act: Lessons from Higgs v Farmor’s School

The Court of Appeal have today issued a judgment in the Kristie Higgs v Farmor’s School case, in which it has ruled that the actions of the school in dismissing Ms Higgs for expressing LGBT+ critical posts on her personal Facebook account, was unlawful discrimination on the grounds of religion or belief.

Pub
  • 10 February 2025
  • Privacy and Data Protection

Frequently asked questions on data retention

In this podcast, Jesse Akiwumi and Harry Berryman, members of the Data Protection team at Clarkslegal, address the top frequently asked questions we receive about data retention.

art
  • 10 February 2025
  • Litigation and dispute resolution

We are living in a material world, but am I a material breach?

In this article we will be looking at the meaning of these different types of breach.