ICO addresses data breach notification “myths”

In another blog addressing false information about the EU General Data Protection Regulation (GDPR), Information Commissioner Elizabeth Denham has turned her attention towards data breach reporting.

She pointed to commentators who have claimed that, under the GDPR, all breaches need to be reported to the Information Commissioner’s Office (ICO), all details of the breach need to be known straight away and that there’ll be huge fines for failing to report.

These statements are “myths”, Denham said, and she used the blog to explain the truth about how and when breaches need to be reported and the repercussions for not doing so.

The facts

It will only be mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. This covers significant economic or social disadvantages, such as discrimination, reputational damage or financial losses.

If there’s a high risk to people’s rights and freedoms, organisations will also need to report the breach to the affected individuals.

Denham said: “If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.”

Any breach that risks people’s rights and freedoms must be reported within 72 hours of discovery. For that reason, the ICO emphasises that the data breach notification doesn’t need to include thorough details – at least initially.

It’s understandable that organisations won’t have all the facts within 72 hours, but getting the most important details down quickly expedites the process to recovery. At the very least, organisations should be able to provide the potential scope and cause of the breach and the actions it plans to take to respond to and mitigate the problem.

Denham also addressed claims that failing to report breaches would lead to massive fines. She’d previously dismissed such statements as “scaremongering” and was again clear that financial punishment would be a last resort.

Similarly, she dismissed the idea that data breach reporting was designed to punish organisations. “The law is designed to push companies and public bodies to step up their ability to detect and deter breaches,” she said. “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”

She added: “We understand that there will [still] be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”

Start preparing for the GDPR

There’s less than eight months until the GDPR takes effect, which means there’s still time to prepare for the change, but you need to act soon. Compliance is not something you want to leave until the last minute.

As Denham advises, all organisations should be making sure that they “have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines”.

For advice on preparing for the Regulation, you should read EU GDPR – A Pocket Guide. This guide, written by IT Governance’s founder and executive chairman, Alan Calder, is the ideal resource for anyone looking for a primer on the principles of data protection and their obligations under the GDPR.

It describes the terms and definitions used in the GDPR in simple language, outlines the key requirements of the GDPR and provides advice on complying with the Regulation. The guide also provides a detailed explanation of data breach notification reporting.

Find out more about EU GDPR – A Pocket Guide >>


  1. Markus 3rd October 2017
  2. Rostagni 3rd October 2017
    • Luke Irwin 3rd October 2017
  3. Markus 3rd October 2017
  4. Nick Franklin 3rd October 2017
  5. tony stewart 3rd October 2017