UK General Data Protection Regulation (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.

What is a breach of personal data?

A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:

• if you lose, destroy, corrupt or disclose personal data
• if someone accesses the data or passes it on without proper authorisation
• if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals

When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:

• how serious or substantial these are, and
• how likely they are to happen

In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.

Should I report a data breach?

You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:

• discrimination
• damage to reputation
• emotional distress
• identity theft or fraud
• financial or material loss
• other significant economic or social disadvantages

You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.

Telling individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.

Determine the level of risk accurately

If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.

If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.

What if a processor experiences a data breach?

If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.

How long do organisations have to report data breaches?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.

When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:

• the nature of the breach, including:
  • the categories and approximate number of affected individuals
  • the categories and approximate number of affected data records
• the likely consequences of the breach
• the measures taken or proposed to be taken, to deal with and mitigate the breach
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained

Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.

How do I notify the ICO of the data breach?

To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.

Recording personal data breaches

As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.

In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.

You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.

Failing to report a data breach

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.

You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.

Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.