Data breach reporting under GDPR

This is the first in a series of blogs on aspects of personal data breach reporting under GDPR.  Last week the Information Commissioner’s Office (ICO) hosted a webinar on data breach reporting and confirmed that since GDPR was implemented, the number of breaches being reported monthly has more than quadrupled.  The majority of reports continue to come from the education and health sectors, as well as a significant number from local government.

The increase in breach reporting is unsurprising given the requirements in GDPR for data controllers to report personal data breaches.  Reports must be made without undue delay and where feasible within 72 hours of becoming aware of them.  The only exception to the reporting requirement is where the breach is unlikely to result in a risk to the rights and freedoms of individuals. 

The regulatory guidelines that accompany GDPR provide that a controller should be regarded as having become “aware” of a personal data breach when that controller “has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”.

Other blogs in this series will look at:

• over-reporting and risk assessment
• telephone reporting
• providing information to the ICO
• notifying individuals