Unnecessary data breach reports
Enforcing authority. The Information Commissioner’s Office (ICO) is responsible for enforcing data protection legislation, including the UK General Data Protection Regulation(GDPR) . This legislation requires data controllers to self-report data breaches in certain circumstances. However, the ICO has revealed that nearly a third of the self-reports it’s received since the GDPR’s inception are actually unnecessary, e.g. because they don’t meet the minimum threshold.
Legal requirement. So, when is a business under a legal duty to self-report a data breach to the ICO? This only needs to occur where a data breach is likely to pose a risk of harm to the data subjects who are involved; if there’s no risk of harm to data subjects, then no data breach self-report is required. A data breach can include the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any personal data.
Defining harm. Rather unhelpfully, the GDPR doesn’t define the meaning of “harm” but it may include any type of physical, psychological, emotional, financial or reputational damage. This is a matter for the business involved in the data breach to decide and, when doing so, the situation must be viewed from the data subject’s perspective.
Tip. You can determine whether a data breach self-report is necessary by following the ICO’s free online self-assessment tool (see The next step ). It takes approximately five minutes to complete. If it concludes that no data breach self-report is necessary, keep a copy of the result for your records. Where a risk of harm is likely the ICO must be notified within 72 hours of you becoming aware of the data breach.
For further information on the ICO’s data breach self-assessment tool, visit https://www.tips-and-advice.co.uk , Download Zone, year 22, issue 11.