The GDPR: reporting data breaches
Getting closer. The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 , applies to virtually all businesses (there is no small business exemption) and you should be well underway with your preparations by now. Unfortunately, there are many myths circulating about the GDPR and its implications. One is that all businesses will be legally obliged to self-report every personal data breach that occurs to the Information Commissioner’s Office (ICO) - the regulator responsible for policing the GPDR.
The true story. Whilst the GDPR does require the self-reporting of personal data breaches, it does not apply to every single situation. You will only be required to report a personal data breach to the ICO if it’s “likely to result in a risk to people’s rights and freedoms” . Where this arises, you must notify the ICO of the breach without undue delay and not later than 72 hours after becoming aware of it. If you take longer than this, you will have to give reasons for the delay. Where there’s no such risk present, you don’t have to self-report the breach at all.
How to tell. There’s no single rule you must follow when assessing the risks of a personal data breach - it all depends on the relevant facts of the situation. By way of an example, the theft of a customer database - where the personal data it contains could be used to commit identity fraud - must be notified to the ICO. This is because it could have serious risks for those individuals, e.g. they could suffer financial loss. Conversely, if a staff telephone list was left somewhere accidentally, this would not normally need to be notified to the ICO - assuming, of course, the risks to people’s rights and freedoms are non-existent.
Tip. Where you conclude that there’s no need to report a personal data breach to the ICO, you must be able to justify this decision. Clearly document the reasons behind your decision in writing.
Create your profile to unlock this advice and many more.