GDPR and Mandatory Breach Reporting

Commercial Article

01 November, 2017

The General Data Protection Regulation ('GDPR') will come into force in the UK from 25 May 2018. One of the changes the GDPR makes is the requirement for a personal data breach to be notified to the Information Commissioner's Office ('ICO').

Currently there is no legal obligation on most organisations to self-report personal data breaches to the ICO. However, self-reporting is currently treated as a mitigating factor by the ICO and so organisations may choose to self-report if they wish. This will change under the GDPR as it makes notification mandatory for all data controllers unless a breach is likely to result in a risk to the rights and freedoms of individuals. These breaches must be reported to the ICO within 72 hours of the data controller becoming aware of the breach.

The Article 29 Working Party has issued draft guidelines on personal data breach reporting to assist data controllers in understanding their self-reporting obligations under the GDPR. The draft guidance addresses the following points:

When does the 72 hour clock start?
The 72 hour time frame begins the moment the data controller becomes aware of the breach. This may be clear at the outset but in other cases it may take some time before it is established that there has been a breach. The draft guidance emphasises that an investigation should begin as soon as possible to establish whether or not there has been a breach.

When does a breach need to be reported?
Personal data breaches are to be reported to the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.

One example of where notification would be required is given in the draft guidance, in the context of a hospital. If critical medical data about patients are made unavailable, even temporarily, this could present a risk to individuals' rights and freedoms; for example, operations may be cancelled.

When does a breach not need to be reported?
Conversely, a personal data breach does not need to be reported to the ICO where the breach is not likely to result in a risk to the rights and freedoms of individuals. The following examples are provided in the draft guidance as situations where breaches would not need to be reported:

  • A breach involving data which is already publicly available, where there is no likely risk to individuals would not need to be notified.
  • A loss of encrypted data would not need to be reported (e.g. an encrypted laptop or mobile) provided that the key is held securely and that the encryption was operational when the device was lost. Any decision not to report due to use of encryption should be revisited if facts change (e.g. if it turns out that the key was not secure).

The draft guidance is open for consultation until the 28th November 2017. Finalised guidance will then be published in due course.

If you are looking for more information with regards to our services view our our Commercial section. You can also contact Bethany Paliga in our Commercial department on 01254 222 347 or by email. Alternatively send any question through to Forbes Solicitors via our online Contact Form.


04 Feb 2019



'Alexa, Buy More Stuff' - Why Convenience Cannot Trump Consumer Law

Consumer habits are changing. That should be obvious to even the most casual observer. High Street footfall…

Read the article

Your knowledge shone through and, in general, you have always shown a professionalism when dealing with any issues that we task you with.

More clients

Forbes Solicitors delivers 'fast response times' and demonstrates 'impressive industry knowledge'.

2018-19 edition Legal 500

More clients

I can honestly say I am extremely impressed with everything Forbes have done

Suzy Orr
Unique Ladies Network

More clients

Your quality of work, attention to detail, communication and general all round enthusiasm has been greatly appreciated as I have often become quite overwhelmed when reviewing them myself.

Stephen Gibson
Operations Director
Ecompli (UK) Ltd

More clients

Very thorough and precise with each contract and have made it very easy for us to feel very confident going into new territories, whether it being a different country or a different manufacturer.


More clients

Have dealt with several staff at Forbes. Always very clear, professional and approachable. Happy to recommend them and will use again.


More clients

John brings a high level of expertise which we're sure will benefit our members.

Andrew Hamilton
Training Manager
NWL Chamber of Commerce

More clients

Forbes Solicitors have acted on behalf of WEC Group Limited for many years providing advice on a range of matters including Corporate & Restructuring and Commercial Property.

Wayne Wild
WEC Group Limited

More clients

John provides practical and concise advice and support in a professional and timely manner.

Gavin Birchall
Dose Design

More clients

Thanks John, your services have been impeccable and as such I will have no hesitation to recommend both your services and those of Forbes Solicitors.

Gill Bond
GM Bespoke Events

More clients

Make an enquiry