Data breach reporting under GDPR: providing information to the Information Commissioner’s Office

Data controllers are required to report personal data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Where the report is not made within 72 hours, the controller must also explain the reasons for the delay.

GDPR requires that at minimum the notification report must:

• describe the nature of the breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records involved;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the breach;
• describe the measures taken or proposed to be taken to address the personal data breach. This should include, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide all the information at the same time, GDPR does envisage that this may be provided in phases, but again this must be without undue delay, and with an explanation as to why the information could not be provided within the 72 hour period.

Data controllers are expected to have adequate systems and processes in place to enable  swift investigation, containment and reporting of personal data breaches. 

In addition, organisations must ensure a culture of compliance prevails amongst their employees, with suspected breaches being reported to appropriate personnel immediately upon discovery. 

If you have not done so already, you should consider whether your existing procedures are adequate, and make any changes needed to ensure you are able to make any compulsory notifications within the 72 hour window, including arrangements for obtaining advice, if required.