01 November, 2017
The General Data Protection Regulation ('GDPR') will come into force in the UK from 25 May 2018. One of the changes the GDPR makes is the requirement for a personal data breach to be notified to the Information Commissioner's Office ('ICO').
Currently there is no legal obligation on most organisations to self-report personal data breaches to the ICO. However, self-reporting is currently treated as a mitigating factor by the ICO and so organisations may choose to self-report if they wish. This will change under the GDPR as it makes notification mandatory for all data controllers unless a breach is likely to result in a risk to the rights and freedoms of individuals. These breaches must be reported to the ICO within 72 hours of the data controller becoming aware of the breach.
The Article 29 Working Party has issued draft guidelines on personal data breach reporting to assist data controllers in understanding their self-reporting obligations under the GDPR. The draft guidance addresses the following points:
When does the 72 hour clock start?
The 72 hour time frame begins the moment the data controller becomes aware of the breach. This may be clear at the outset but in other cases it may take some time before it is established that there has been a breach. The draft guidance emphasises that an investigation should begin as soon as possible to establish whether or not there has been a breach.
When does a breach need to be reported?
Personal data breaches are to be reported to the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.
One example of where notification would be required is given in the draft guidance, in the context of a hospital. If critical medical data about patients are made unavailable, even temporarily, this could present a risk to individuals' rights and freedoms; for example, operations may be cancelled.
When does a breach not need to be reported?
Conversely, a personal data breach does not need to be reported to the ICO where the breach is not likely to result in a risk to the rights and freedoms of individuals. The following examples are provided in the draft guidance as situations where breaches would not need to be reported:
The draft guidance is open for consultation until the 28th November 2017. Finalised guidance will then be published in due course.
If you are looking for more information with regards to our services view our our Commercial section. You can also contact Bethany Paliga in our Commercial department on 01254 222 347 or by email. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Your quality of work, attention to detail, communication and general all round enthusiasm has been greatly appreciated as I have often become quite overwhelmed when reviewing them myself.
Ecompli (UK) Ltd
Very thorough and precise with each contract and have made it very easy for us to feel very confident going into new territories, whether it being a different country or a different manufacturer.
Have dealt with several staff at Forbes. Always very clear, professional and approachable. Happy to recommend them and will use again.
John brings a high level of expertise which we're sure will benefit our members.
NWL Chamber of Commerce
Forbes Solicitors have acted on behalf of WEC Group Limited for many years providing advice on a range of matters including Corporate & Restructuring and Commercial Property.
WEC Group Limited
John provides practical and concise advice and support in a professional and timely manner.
Thanks John, your services have been impeccable and as such I will have no hesitation to recommend both your services and those of Forbes Solicitors.
GM Bespoke Events