How to Report a Data Breach

According to the UK General Data Protection Regulation (GDPR), businesses have to report personal data breaches within 72 hours after being informed of such a breach.

What is a personal data breach?

Any intentional or unintentional security incident that compromises the confidentiality, integrity, or accessibility of personal data qualifies as a personal data breach. For instance, a breach could occur:

• If you misplace, delete, distort, or reveal personal data
• If someone accesses the information or shares it without having the necessary authorisation
• If the data becomes unavailable (for instance, due to ransomware, accidentally lost, or damaged), and this absence has a major negative impact on people

If a security issue occurs, you should ascertain whether there has been a compromise of personal data. The potential negative effects on people should be the main focus of your assessment, depending on:

• How significant or serious these are, and
• How probable they are to occur

You could be required to notify the Information Commissioner's Office (ICO) about the breach or the people it affects. Let's look at when you should report a breach.

When you should report a breach

You are not required to notify the ICO of every data breach. You must report a data breach, however, if it could endanger people's rights and freedoms.

For instance, if the breach is likely to result in:

• Discrimination
• Loss of reputation
• Psychological distress
• Financial or material losses due to identity theft or fraud, as well as any other serious economic or social disadvantage

Other laws, such  the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation, may also require you to notify the incident.

How to report personal data breaches to the ICO

You can notify the ICO of a personal data breach by following their self-assessment tool and reading the guidelines on reporting a breach.

Recording personal data breaches

You must make sure that you record all breaches as part of your responsibility to uphold the accountability principle required by the UK GDPR, regardless of whether the breaches require reporting to the ICO. The details of the breach, its consequences, and the corrective action taken should be documented.

If you encounter a personal data breach, you may have extra notification requirements under other laws in addition to notifying and documenting the breach.

For instance, if you operate an essential service provider, a digital service provider, a communications service provider, or a UK trust service provider.

Third parties that can help lower the danger of financial loss to individuals, such as the police, insurance, professional associations, banks, or credit card providers, may also need to be informed.

What happens if you don't report a breach?

A punishment of up to £8.7 million or 2% of your global sales may be imposed for failing to notify the ICO of a breach when you are required to do so. Under the UK GDPR, the fine may be used in conjunction with other corrective measures by the ICO.

If you are upfront and truthful about the breach, report it right away, and demonstrate that you take the security of personal data seriously, you can avoid fines and penalties.

Make sure that you have a reliable mechanism in place to quickly identify and report breaches and that, in the event of a notifiable breach, you are able to give all relevant information. If you decide not to report the breach, be sure to explain your reasoning and keep a record of it.

Summary

Reporting a data breach is often necessary and an important aspect of handling personal data breaches. If you’re looking to prevent data breaches and safeguard your organisation from cyber security attacks or unauthorised breaches, Swiftcomm can help. 

Get in touch with our friendly support team today to find out how we can manage your organisation’s data privacy and IT security.

[cta]

References:

1. ICO. Report a Breach. Accessed September 26 2022.