Posted by Lee Hellingsworth on October 3, 2017
The Information Commissioner’s Office (ICO) has provided some clarity on what action organisations will need to take under the forthcoming General Data Protection Regulations (GDPR) where there are serious breaches of personal data.
The ICO has attempted to de-bunk misleading GDPR stories in the media that all breaches will have to be reported to it and customers immediately, and that there will be huge fines for not doing so.
When GDRP comes into full effect on 25 May 2018, the ICO says it will become mandatory to report a personal data breach if it is likely to result in a risk to the rights and freedoms of individuals. Conversely, where the breach is unlikely to create such a risk, there will be no need to report.
Under current rules, most personal data breach reporting is not compulsory, though it is best practice. So mandatory reporting under GDPR, where a breach results in a risk to people’s rights and freedoms, will be a new requirement for many.
The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to the people involved.
European guidelines will assist organisations in determining thresholds for reporting, though the best approach will be for those organisations to themselves review the types of incidents they may face, and develop a sense of what constitutes a serious incident in the context of their own data and customers.
The ICO says high risk situations are likely to include the potential for people to suffer significant detrimental effects through, for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.
Where organisations are not sure about who is affected, the ICO will be able to provide advice and, in certain cases, order organisations to contact the affected people.
Related article - Countdown to new data protection rules.