News article

ICO warns on over-reporting of data breaches

17 September 2018


Businesses are inundating the UK privacy regulator with breach reports

At a recent cyber security conference, the ICO deputy commissioner revealed that misconceptions are still commonplace among organisations more than three months after the General Data Protection Regulation (GDPR) came into force.

These misconceptions cause businesses to make some common mistakes, including:

  • report every incident involving personal information no matter how trivial
  • misinterpret the 72 hours reporting timeline
  • submit incomplete data breach reports

The ICO gave additional information to clarify these issues.

Over-reporting
Organisations have been making around 500 calls a week to the ICO breach reporting line since GDPR came into force. Around a third of these disclose minor data incidents don't actually meet the threshold for notification under the GDPR. This creates an unnecessary burden on the reporting company, as well as the ICO.

In light of the over-reporting issue, the regulator suggests that businesses read their reporting guidance carefully and refer, in particular, to the reporting threshold.

72 hours reporting timeline
The ICO points out that many businesses also struggle with the concept of 72 hours as defined by the GDPR. Some businesses mistakenly believe that the mandatory reporting period for reportable breaches is 72 'working' hours. In fact, this is 72 hours from the point of breach discovery - the clock starts ticking from the moment you become aware of the breach.

Incomplete reports
Some of the breach reports filed with the ICO have been incomplete. The ICO guidance sets out clearly what you should include when you report a breach and how quickly you should provide this information. Even if you can't provide everything within the first 72 hours, the ICO will expect you to prioritise the investigation, give it adequate resources, and be open and ready to provide them as much detail as you can, as quickly as possible.

By way of reminder, a personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Organisations have a duty under the GDPR to report personal data breaches to the ICO where the breach is likely to pose a risk to data subjects. They must report this within 72 hours of becoming aware of the breach, where feasible. Additional obligations apply to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms.

Read more about reporting serious breaches of personal data.