Currently, the ICO says it is experiencing significant over-reporting. The ICO has confirmed that, before reporting, data controllers must assess the likelihood and severity of any consequences of the breach. If it is unlikely that there will be a risk to people’s rights and freedoms following the breach, it does not need to be reported. All breaches do however have to be documented in accordance with GDPR requirements, regardless of whether they are reported. GDPR requires the record to enable supervisory authorities like the ICO to verify that the data controller has complied with GDPR requirements for breach reporting.
The ICO has also reminded data controllers that the 72 hour reporting requirements relate only to data breaches (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data). The ICO suggests considering whether there has been a confidentiality, integrity or availability breach as a method of identifying reportable breaches. Confidentiality breaches involve unauthorised disclosure, integrity breaches involve alterations to personal data, and availability breaches are those where personal data has been lost or destroyed by accident or without authorisation.
Data controllers are not required to (and should not) self-report failures to meet subject access request deadlines, instances of electronic marketing to individuals without appropriate consent, or loss of data relating to deceased individuals.