ICO addresses data breach notification “myths”
In a blog addressing false information about GDPR, Information Commissioner Elizabeth Denham has turned her attention towards data breach reporting.
She pointed to commentators who have claimed that, under GDPR, all breaches need to be reported to the ICO, all details of the breach need to be known straight away and that there’ll be huge fines for failing to report.
She said these statements are “myths” explained the truth about how and when breaches need to be reported and the repercussions for not doing so.
It will only be mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. This covers significant economic or social disadvantages, such as discrimination, reputational damage or financial losses.
If there’s a high risk to people’s rights and freedoms, organisations will also need to report the breach to the affected individuals.
Ms Denham stated: “If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.”
Any breach that risks people’s rights and freedoms must be reported within 72 hours of discovery. For that reason, the ICO emphasises that the data breach notification doesn’t need to include thorough details, at least initially. It’s understandable that organisations won’t have all the facts within 72 hours, but getting the most important details down quickly expedites the process to recovery. At the very least, organisations should be able to provide the potential scope and cause of the breach and the actions it plans to take to respond to and mitigate the problem.
Ms Denham also addressed claims that failing to report breaches would lead to massive fines. She’d previously dismissed such statements as “scaremongering” and was again clear that financial punishment would be a last resort. Similarly, she dismissed the idea that data breach reporting was designed to punish organisations. “The law is designed to push companies and public bodies to step up their ability to detect and deter breaches,” she said. “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.” She added: “We understand that there will [still] be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”
Start preparing for GDPR
There’s less than eight months until GDPR takes effect, which means there’s still time to prepare for the change, but you need to act soon. Compliance is not something you want to leave until the last minute. As Ms Denham advises, all organisations should be making sure that they “have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines”.
If you need help Insight is able to offer expert guidance on effective preparation for GDPR, an annual subscription service for Information Governance advice and guidance, and can even act as your organisation's contracted Data Protection Officer should you so desire. Please contact me for more details on 07984 838038 or by email at firstname.lastname@example.org