Data breach reporting under GDPR: over-reporting and risk assessment

Currently, the ICO says it is experiencing significant over-reporting. The ICO has confirmed that, before reporting, data controllers must assess the likelihood and severity of any consequences of the breach. If it is unlikely that there will be a risk to people’s rights and freedoms following the breach, it does not need to be reported.  All breaches do however have to be documented in accordance with GDPR requirements, regardless of whether they are reported.  GDPR requires the record to enable supervisory authorities like the ICO to verify that the data controller has complied with GDPR requirements for breach reporting.

The ICO has also reminded data controllers that the 72 hour reporting requirements relate only to data breaches (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data).  The ICO suggests considering whether there has been a confidentiality, integrity or availability breach as a method of identifying reportable breaches.   Confidentiality breaches involve unauthorised disclosure, integrity breaches involve alterations to personal data, and availability breaches are those where personal data has been lost or destroyed by accident or without authorisation.

Data controllers are not required to (and should not) self-report failures to meet subject access request deadlines, instances of electronic marketing to individuals without appropriate consent, or loss of data relating to deceased individuals.

Tags

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
Sites
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R

Visitors

Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Staff

Mills & Reeve system for employees.