Skip to content

Data Breach Over-Reporting

What has happened?
The Information Commissioner’s Office has recently stated that many businesses are disclosing minor personal data breaches to it in the mistaken belief that they have to report those incidents under the General Data Protection Regulation.

The UK’s deputy information commissioner, James Dipple-Johnstone, highlighted the problem of “over-reporting” in a speech at a cybersecurity conference hosted by the CBI in early September, when he commented that “Some controllers are ‘over-reporting’: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported. We understand this will be an issue in the early months of a new system, but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold.”

It was also mentioned during the speech that, since the GDPR took effect on 25 May, around 500 calls a week have been made to the ICO’s breach reporting phone line (0303 123 1113), and that about one-third of the incidents discussed by callers with ICO staff turned out not to be reportable under the GDPR’s data breach notification threshold.

Organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals under the GDPR. A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Organisations must notify local data protection authorities of personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In addition, where there is a high risk of damage arising to the data subject, then the data subjects must be informed directly without undue delay.

It must be clearly understood that the 72 hours deadline does not relate to working hours only and that the clock starts ticking from the moment you become aware of the breach.

It has also been reported that some of the data breach reports the ICO has been receiving have been incomplete. The ICO provides an explanation of what information is to be provided here.

How Thistle can help you?

Thistle will continue to keep this area under review and will issue further updates where necessary. Please view our GDPR or Cyber Security page for more information on the services we provide in those areas.