In Short
-
You must report a data breach to the ICO if it involves personal data and is likely to risk people’s rights and freedoms.
-
Not all breaches are reportable, but you must document your reasoning if you decide not to report.
-
If the breach is reportable, you must notify the ICO within 72 hours, or explain any delay.
Tips for Businesses
Have a clear data breach response plan so your team knows what to do straight away. Assess whether personal data is involved and whether there is a real risk to individuals. Keep written records of your decision-making, even if you decide not to report. Training staff and strengthening security controls can significantly reduce risk.
Table of Contents
- When Does My Business Need to Report a Data Breach to the ICO?
- What is a ‘Personal Data Breach’?
- How Does a Breach ‘Risk People’s Rights and Freedoms’?
- What Happens if a Data Breach Passes Both Tests?
- What to Include in a Breach Notification?
- What Happens After I Notify the ICO?
- How Can Businesses Reduce the Risk of Data Breaches
- Key Takeaways
- Frequently Asked Questions
If your company suffers a data breach, you must report this according to protection rules. The Information Commissioner’s Office (ICO) is an independent body aiming to help organisations in England comply with data protection law. In particular, they seek to enforce the rules within the General Data Protection Regulation (GDPR). This article will explain the circumstances in which you should report data breaches to the ICO, helping your company follow the rules and avoid fines.
When Does My Business Need to Report a Data Breach to the ICO?
Your organisation must notify the ICO of a breach if:
- a personal data breach has occurred; and
- that breach could likely result in a risk to people’s rights and freedoms.
What is a ‘Personal Data Breach’?
A personal data breach occurs when there is a security breach leading to the:
- accidental or unlawful destruction, loss or alteration of personal data;
- unauthorised disclosure of personal data; or
- unauthorised access to personal data.
Security breaches include both accidental and deliberate access.
An example of accidental access would be a member of HR sending a copy of an occupational health assessment to the wrong employee. The assessment might contain the colleague’s full name, national insurance number and sensitive medical history. This showcases how personal information may accidentally spread without proper authorisation.
In contrast, an example of deliberate unauthorised access is a cyber-attack on your company that results in cybercriminals obtaining your customers’ payment details.
Continue reading this article below the formHow Does a Breach ‘Risk People’s Rights and Freedoms’?
Both examples mentioned above pose a risk to someone’s rights and freedoms. In the first example, sending occupational health materials to the wrong staff member results in sensitive personal information being accidentally shared with a colleague without consent. This is a significant breach of trust and privacy.
The second example — a cyber-attack resulting in the theft of customer payment details — puts those customers at risk of identity fraud and financial loss. Therefore, it is simple to meet the requirement of showing a risk to individuals.
Consequently, if your company concludes that a personal data breach does not constitute a risk to rights and freedoms, the reasons for that decision should be documented.
There are occasional instances in which a personal data breach does not significantly impact the rights and freedoms of individuals. For example, you likely do not need to report a breach to the ICO if it involves:
- losing a printed staff telephone extension number sheet;
- the accidental deletion of a spreadsheet containing staff preferences for an upcoming team meal; and
- emailing the wrong payslip to an employee, but successfully recovering the email before the staff member opens it.
What Happens if a Data Breach Passes Both Tests?
In this situation, your business should report the breach on the ICO website within 72 hours. Alternatively, if your organisation notifies the ICO after 72 hours, you must explain the delay in detail.
What to Include in a Breach Notification?
Your business should provide a summary of its concerns about the breach, including:
- details of the breach and whether you believe it was accidental or deliberate;
- the likely number of individuals affected by the breach;
- the contact details of your data protection officer (if your business has one);
- a prediction of the likely consequences of the breach; and
- any measures you take (if any) to mitigate and deal with the initial impact of the data breach.
What Happens After I Notify the ICO?
Following receipt of your breach notification, the ICO will begin an investigation. They are likely to ask follow-up questions and evaluate the breach’s severity and whether it could have been avoided.
If the ICO determines that the data breach was serious and violated the GDPR, it may take enforcement action against your organisation. This could involve instructing your organisation to improve procedures or issuing a fine reflecting the potential impact on individuals.
How Can Businesses Reduce the Risk of Data Breaches
Prevention is always better than a cure. Businesses should adopt robust data protection measures, such as:
- encrypting personal data,
- ensuring staff receive regular training on data handling;
- implementing multi-factor authentication on systems that store sensitive information;
- conducting periodic data protection impact assessments (DPIAs) to help identify weak points in your processes; and
- maintaining an incident response plan will help your organisation to act quickly and efficiently in the event of a breach, therefore limiting damage and ensuring compliance with reporting obligations.
Key Takeaways
Following data protection rules can reduce the likelihood of needing to report a data breach to the ICO. However, if they occur, it is important to comply with the 72-hour deadline. Your business must assess whether the breach involves personal data and whether it risks individual rights and freedoms, and report to the ICO accordingly. If you need help with data protection rules and data breach notifications to the ICO, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The ICO relies on self-reporting under the GDPR. While it may be tempting to avoid mentioning data breaches, organisations that do so can face hefty financial penalties.
This will depend on the exact circumstances. However, the ICO will likely impose a harsher penalty upon a cyber-attack on a weak IT system with minimal data security than the accidental distribution of an email to an incorrect recipient.
Yes. If a breach is likely to result in a high risk to the rights and freedoms of individuals, your organisation must also inform the affected individuals directly and without undue delay. This ensures they can take appropriate steps, such as changing passwords or monitoring their accounts for suspicious activity.
Yes. The ICO applies the same legal standards to all organisations, regardless of size. However, when determining penalties, the ICO considers factors such as the company’s resources, the steps taken to prevent the breach, and how promptly and transparently the business responded once it occurred.
We appreciate your feedback – your submission has been successfully received.
