With nine months to go until GDPR becomes effective, there are lot of ‘misleading’ press stories asserting that all breaches will need to be reported to the Information Commissioner’s Office and customers alike. ICO has challenged the myths related to data breach reporting in their latest article.
In our last blog, we covered 4 myths busted by ICO surrounding new fining powers, issue of consent and that the new regime is an onerous imposition of unnecessary and costly red tape. Here are the next 4 busted myths:
Myth #5: All personal data breaches will need to be reported to the ICO.
Fact: Elizabeth Denham, Information Commissioner says, “It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms”. If it is not likely to pose a risk to people’s rights and freedom from the breach, the company need not report it to ICO.
Denham further adds, “… the threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved”. The general European guidelines will help companies to determine thresholds for reporting but organisations can begin looking at what constitutes a serious incident. Potential high risk situations constitute people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.
In the event that organisations aren't sure about who is affected, the ICO will advise and, in specific cases, order them to contact the people affected if the incident is judged to be high risk.
Myth #6: All details need to be provided as soon as a personal data breach occurs.
Fact: Under the GDPR there is a prerequisite for organisations to report a personal data breach that affects individuals' rights and freedom, immediately and, where feasible, not later than 72 hours subsequent to having turned out to be mindful of it.
Organisations can provide certain details when reporting but the detailed report can be provided later. However, ICO will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.
Myth #7: If you don’t report in time a fine will always be issued and the fines will be huge.
Fact: Denham has again reiterated the fact that,“… fines under the GDPR will be proportionate and not issued in the case of every infringement”.
Organisations ought to know that the ICO will be able to issue fines for failing to notify and for not notifying in a timely manner. ICO warns that if organisations deliberately neglect to conform to the law or totally ignore it, especially during high data privacy risks then they have that sanction available.
“Tell it all, tell it fast, tell the truth.”
Myth #8: Data breach reporting is all about punishing organisations.
Fact: The law is intended to push organisations to step up their capacity to detect and deter breaches. Primary motive is not to punish but to improve them to manage security vulnerabilities.
“We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.” notes Denham.
The ICO is in the process of introducing a new phone reporting service alongside a web reporting form which will enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. Until 25 May 2018, all data breaches will be assessed under the current Data Protection Act.
Stay tuned for more on GDPR
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.