The Information Commissioner’s Office (ICO) has published its latest myth busting GDPR blog.
The series of notifications, written by Elizabeth Denham,
aim to sort the fact from the fiction regarding the General Data Protection Regulation (GDPR), given there are a number of mistruths being written about the implementation.
The latest post
focuses on the reporting of data breaches and outlines why it’s a myth that ALL data breaches will have to be reported and discusses more about the timescales involved with reporting breaches.
Addressing the myth that all personal data breaches
will need to be reported to the ICO, the blog responds by saying that “It will
be mandatory to report a personal data breach under the GDPR
if it’s likely to result in a risk to people’s rights and freedoms. However, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.”
Denham goes on to say: “Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.
“And organisations need to remember that if there’s the likelihood of a high
risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected. If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.”
Speed of reporting
The blog goes on to discuss how quickly details need to be provided when a data breach occurs – a question we know charities have been asking.
Denham says: “Under the GDPR
there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.
“Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO
will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.”
Not about punishment
The blog also addresses the issue of fines and punishment – and the fact that many media outlets have commented that data breach reporting is all about punishing organisations – an accusation that Denham refutes.
“Personal data breach reporting has a strong public policy purpose,” she says. “The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.
The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.”
The ICO is currently working alongside other EU data protection authorities as part of the Article 29 Working Party to produce guidance that will set out when organisations – including charities – should be reporting, and the steps they can take to help meet their obligations under the new data breach reporting requirement. There are already some examples and explanation in its GDPR overview.
Charities should be preparing now by ensuring you have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines.