GDPR: the ICO attempts to clarify obligation to report serious data breaches

Faced with misleading press stories, the ICO has been addressing misconceptions about the GDPR by publishing myth busting blogs, including on the new requirement to report serious breaches of personal data.

Not all personal data breaches will need to be reported to the ICO, only if a risk to people’s rights and freedoms is likely.  The ICO does not give strict instructions of what incidents are serious enough to report but reiterates it is when people may suffer a significant detriment such as damage to reputation or financial loss. The ICO has encouraged all organisations to look at the types of incidents they could face to develop a sense of what would be serious.

Although the requirement to report a serious breach is without undue delay and where feasible within 72 hours, they don’t expect a full final report with all details within this time. The ICO have said that fines will be proportionate and will not be issued for every failure (although only time will tell what this will mean in practice). They remind firms that the point of the GDPR is not to punish organisations but to encourage companies to improve their ability to prevent breaches.

Under the current data protection law, reporting is best practice anyway even if not mandatory. Involving the ICO early can ensure the firm receives the best guidance and mitigate any fines issued.

Organisations are encouraged to start planning now to ensure roles and processes are in place for when GDPR comes into effect in May 2018.