As of 25 May 2018 any company experiencing a personal data breach has a duty to consider whether this should be notified to the Information Commissioner’s Office (ICO).
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Not all breaches need to be reported – only those that pose a risk to people, including their rights and freedoms. If it’s likely there will be a risk, then you must notify the ICO. When reporting a breach, you must provide the following to the ICO within 72 hours of identifying the breach:
- a description of the nature of the personal data breach including, where possible: the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned
- the name and contact details of the data protection officer (if your organisation has one) or another point of contact who can provide you with more information
- a description of the likely consequences of the personal data breach
- a description of the measures taken, or those proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If you don’t have all the required information available within 72 hours, you can do it in phases, as long as this is done without undue further delay.
The ICO expects controllers to prioritise and resource investigation, and companies must still notify the ICO of the breach when they become aware of it and submit further information as soon as possible.
You can report a breach to the ICO either by telephone or online.
Download Whiteboard magazine
For further information please contact Sarah Stephens, Head of Cyber on +44 (0)20 3394 0486