Table of Contents
If your company suffers a data breach, you must report this as per the data protection rules. The Information Commissioner’s Office (ICO) is an independent body aiming to help organisations in England comply with data protection law. In particular, they seek to enforce the rules within the General Data Protection Regulation (GDPR). This article will detail the circumstances in which your business should report data breaches to the ICO to ensure your company complies with the relevant rules and avoids financial penalties.
When Does My Business Need to Report a Data Breach to the ICO?
Your organisation must notify the ICO of a breach if:
- a personal data breach has occurred; and
- that breach could likely result in a risk to people’s rights and freedoms.
What is a ‘Personal Data Breach’?
A personal data breach occurs when there is a security breach leading to the:
- accidental or unlawful destruction, loss or alteration of personal data;
- unauthorised disclosure of personal data; or
- unauthorised access to personal data.
Security breaches include both accidental and deliberate access.
In contrast, an example of deliberate unauthorised access would be a cyber-attack on your company, resulting in cyber-criminals obtaining your customers’ payment details.
How Does a Breach ‘Risk People’s Rights and Freedoms’?
Both examples mentioned above constitute a risk to someone’s rights and freedoms. In the first example (sending occupational health materials to the wrong staff member), someone’s sensitive personal information mistakenly goes to a colleague without their consent. This is a significant breach of trust and their right to privacy.
The second example (a cyber-attack resulting in the theft of customer payment details) puts those customers at risk of identity fraud and financial loss. Therefore, it is simple to satisfy this second element.
However, there are occasional instances where a personal data breach does not significantly impact the rights and freedoms of individuals. For example, you unlikely need to report a breach to the ICO if it involves:
- losing a printed staff telephone extension number sheet;
- the accidental deletion of a spreadsheet containing staff preferences for an upcoming team meal; and
- emailing the wrong payslip to an employee but successfully recovering the email before the staff member opens it.
What Happens if a Data Breach Passes Both Tests?
In that situation, your business should report the breach to the ICO through their website within 72 hours. Alternatively, if your organisation notifies the ICO after 72 hours, it should explain the delay. You should carefully consider these reasons because missing the 72-hour deadline is a technical breach of the GDPR and may result in a fine.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What to Include in a Breach Notification?
Your business needs to try and summarise its concerns about the relevant breach. In particular, you should try to include:
- details of the breach and whether you believe it was accidental or deliberate;
- the likely number of individuals affected by the breach;
- the contact details of your data protection officer (if your business has one);
- a prediction of the likely consequences of the breach; and
- any measures you take (if any) to mitigate and deal with the initial impact of the data breach.
What Happens After I Notify the ICO?
Following receipt of your breach notification, the ICO will start an investigation. They are likely to ask some supplementary questions and consider the seriousness of the breach and whether your company could have done something to avoid it in the first place.
Key Takeaways
Following data protection rules can reduce the likelihood of needing to report a data breach to the ICO. However, if they occur, it is essential to comply with the 72-hour deadline. Your business must assess whether the breach involves personal data and whether it risks individual rights and freedoms and report to the ICO accordingly.
If you need help with data protection rules and data breach notifications to the ICO, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The Information Commissioner’s Office relies on self-reporting under the provisions of the GDPR. While it may be tempting not to mention data breaches, organisations that do so can receive hefty financial penalties from the ICO.
This will depend on the exact circumstances. However, the ICO will likely impose a harsher penalty upon a cyber-attack on a weak IT system with minimal data security than the accidental distribution of an email to an incorrect recipient.
We appreciate your feedback – your submission has been successfully received.