Under the General Data Protection Regulation (GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.
You must report such incidents to the Information Commissioner's Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If you are unable to report the suspected breach within 72 hours, you should explain the reasons for the delay to the ICO as soon as possible.
If a high risk to people's rights and freedoms is likely, you will also need to report the breach to the affected individuals.
This new requirement came into effect on 25 May 2018. See other key GDPR changes.
What is a breach of personal data?
A personal data breach isn't only about loss or theft of personal data. Under the GDPR, a breach can be any type of a security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:
- if you lose, destroy, corrupt or disclose personal data
- if someone accesses the data or passes it on without proper authorisation
- if the data becomes unavailable - eg through ransomware, or accidental loss or damage
Read more about personal data breaches.
What types of incidents will I have to report?
If the data breach is likely to cause significant detrimental effect to individuals, you will have to report it to the ICO. This may be, for example, if the situation is likely to cause:
- damage to reputation
- emotional distress
- identity theft or fraud
- financial or material loss
- other significant economic or social disadvantage
You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.
If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.
If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises. Find out more about accountability under the GDPR.
If you use a processor, you should set out the requirements on breach reporting in your contract with them. See more on contracts and liabilities between controllers and processors.
When do I have to report a data breach?
Under the GDPR, you must report a serious personal data breach:
- without undue delay
- within 72 hours of becoming aware of the breach, where feasible
The ICO will want to know:
- the potential scope of the breach, eg number of affected individuals and data records
- the likely consequences of the breach
- what you will do to deal with and mitigate the breach
- how you plan to address the adverse effects of the breach
Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately. See more on dealing with business data breach and theft.
Article 29 Working Party offers detailed guidelines on personal data breach notification.
What if I fail to notify the ICO?
The ICO can issue you a fine for failing to notify a serious data breach. They can also penalise you for failing to notify in time. However, not all infringements will incur sanctions.
You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously. See more on GDPR penalties and enforcement.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.