The Information Commissioner, Elizabeth Denham, has once again issued a statement to clarify the responsibilities of organisations in reporting a data breach and has acted to dispel some of the rumours surrounding the enforcement practices on the ICO.
In the latest statement from the ICO, the Commissioner addresses certain key areas of Data Breach Reporting tackling those key issues one by one an offering greater clarification.
The first issue is the belief that all personal data breaches must be reported to the ICO. Elizabeth Denham clarifies this with the following statement;
It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.
The statement goes on to say that whilst currently it is “best practice” to report personal data breaches, organisations will need to review heir systems to ensure that those incidents that are reportable under GDPR can be correctly identified and appropriate action taken.
The statement also reaffirms that where a personal data breach makes exposes people’s rights and freedoms to a high risk, then the organisation will also need to notify the individuals concerned. Thus far the ICO has offered some guidance on what the “high risks” are and they include discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.
The ICO also clarifies the reporting timescale for personal data breaches clarifying the belief that all information must be provided to the ICO as soon as the data breach occurs. Under GDPR the breach must be reported withing 72 hours of the organisation becoming aware of the breach and where all the information regarding the breach is not to hand then this can be reported later. This clearly recognises the organisation’s responsibility to make a correct risk assessment of the threats and take any immediate action that may be required to mitigate the effects of the breach.
Finally Elizabeth Denham addresses the question of the punishments that will be applied to personal data breaches, again stating as she has previously that the intention of the ICO in the implementation of GDPR is to encourage and help companies to improve their ability to “detect and deter breaches” and that the success of the ICO will be measured by this and that it is not there to simply impose financial penalties on organisations as a means to revenue generation.
The full statement from the ICO may be viewed here.