GDPR: Data breach reporting - ‘tell it all, tell it fast, tell the truth'

03 October 2017

GDPR: Data breach reporting - 'tell it all, tell it fast, tell the truth

By Jenny Parsons, COO, ProTech

More data was stolen in the first half of this year than during the whole of 2016. I read this somewhat disturbing statement in an article by CRN’s Tom Wright covering research from security vendor Gemalto.

The research reveals that over 1.9m data records were stolen in H1 2017 compared with just under 1.4m in 2016, representing a 164 per cent increase. The stolen data results from 918 breaches and identity theft heads the list for types of data breaches.

North America is the top attack target and has the most declared data breaches but, like security vendor Gemalto, I wonder if North America’s unenviable leading position will be toppled once the General Data Protection Regulation (GDPR) comes into force in May 2018.

In the first half of 2017 European companies reported 49 data breaches – five per cent of the global total but in fact, a drop of 25 per cent on the second half of 2016.

It will be interesting to see what these statistics look like at the end 2018. It would seem likely that with the data breach reporting requirements within GDPR, the number of reported breaches will rise. Let’s not forget that US companies, like all companies which control, or process personal data relating to an EU citizen, will need to be GDPR compliant.

However, as with all aspects of GDPR, there is much misinformation abounding around the need to report all data breaches to the Information Commissioner’s Office (ICO) as well as to your customers and that there will be big fines for non-reporting.

Elizabeth Denham, the ICO’s Information Commissioner is doing a great job in her regular blog to debunk some of the GDPR myths/misinformation. Her latest sets the record straight on data breach reporting.

In her blog Denham confirms that ‘it will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms’.

So, Denham is clearly stating that if it’s ‘unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report’.

The reporting of most personal data breaches to the ICO, under the existing UK data protection law is regarded as best practice but is not compulsory. The need to report breaches which results in a risk to people’s rights and freedoms under GDPR is a new and compulsory requirement.  

This raises the challenging question of what constitutes a risk that must be reported. Pan-European Guidelines will help with this decision-making process, but Denham suggests that the starting point is to examine ‘the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.’

Don’t forget that if there’s a ‘likelihood’ of a high risk to people’s rights and freedoms, then the breach must also be reported to the individuals, your customers, who are involved.

The ICO has provided some guidance as to what is covered by high risk situations. Denham’s blog says that they are ‘likely to include the potential of people suffering detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.’

Under GDPR the reporting of data breaches, affecting people’s rights and freedoms, must take place not later than 72 hours after an organisation is aware that a breach has taken place. Where all the details of the breach are not available, these can be provided later. However, the ICO will need to know ‘the potential scope and the cause of the breach, mitigations you plan to take, and how you plan to address the problem’.

The ICO can issue fines for non-reporting of breaches and failure to do so on time. Reassuringly Denham repeats that (see her earlier blog) fines under GDPR will be proportionate and not issued in the case of every infringement.

Fines can be avoided if you are ‘open and honest’ about a breach and report as quickly as possible. Denham’s advice is to ‘tell it all, tell it fast, tell the truth’.

Sound advice indeed and not just for reporting data breaches.


Sign up to our newsletter and brochure

Continue to learn more about ProTech’s lastest news, insights, software updates and forth coming releases. Sign up for our newsletter and request a brochure.     SIGN UP HERE

Latest News