Does a data breach really need to be reported to the ICO?

It's always 4.59pm on a Friday isn't it!? That lovely email comes in, with subject line: Private & Confidential: Data Breach. The panic sets in. The investigation, the risk assessments, the correspondence to the ICO.  You can forget Emmerdale and Corrie tonight. Before you go and start drafting your correspondence to the ICO… does it really need to be reported to the ICO? 

It can be quite challenging trying to assess whether a breach is reportable or not. What does “likely to result in a risk to the rights and freedoms” even mean? I hear you cry. It can be a difficult task to navigate, and the answer isn’t always straightforward. 

Unnecessary reporting can create panic, but failing to report when you need to can lead to enforcement action. So how do you decide? Let's break it down.

Under the UK GDPR, a personal data breach must be reported to the ICO if it is likely to result in a risk to the rights and freedoms of individuals. Key word – IF. Let's put this into perspective with some examples:

Scenario 1: Not reported to the ICO

A Fintech company accidentally emailed a vulnerable new client’s file to a colleague in a different department. The colleague who received the file immediately deleted the email and informed the sender of the error. The file contained a list of the client’s outstanding debts, contact details, basic financial history, information about their mental health and reasons for seeking support with their finances. The sender and recipient work for the same company, but in different departments. Both work to the same data security measures and have completed training on working with vulnerable people.

The recipient correctly deleted the email and informed the sender. As a result, it is very unlikely that there would be any risk of harm or detriment to the data subject, despite special category personal data being involved – not reportable. The organisation documented the breach internally and provided guidance to staff about checking contact details when sending emails, to minimise the risk to their data subjects. 

Scenario 2: Reported to the ICO & affected individuals

A domestic abuse charity’s system was hit by a ransomware attack. In this situation, highly sensitive details including names, addresses, and information about abuse cases may have been accessed or locked by the attackers. Because of the potential harm to victims if their personal details are exposed (for example, being located by their abuser or having traumatic experiences shared publicly), there is a clear, and high risk to their rights and freedoms. This is definitely reportable to both the ICO and the affected individuals. 

Why? The sensitivity and volume of the data, and the real possibility of serious harm, make it a situation where both the regulators and the individuals affected should be informed.

When do I have to report it to the ICO?

So.. if it is 1) a reportable breach, and 2) you are the data controller…  you must notify the ICO within 72 hours.

But wait, when does the clock start ticking? 

Good question! It begins from the moment you discover the breach, not from when it actually occurred. So, if the breach occurred on the 1st of March, but was only discovered on the 15th March, your 72-hour countdown starts on the 15th March.

Notifying the individuals impacted is slightly different. There's no strict 72 hour stopwatch, but you must tell them without undue delay. The bar for notifying individuals is set higher than the bar for the ICO; not every ICO reportable breach necessarily requires informing individuals.

What if we’re a data processor?

If you're the data processor, your job is simpler, but urgent: notify the data controller ASAP - no procrastinating allowed!

Those 72 hours from discovery are precious, so use them wisely to assess and investigate. 

Deciding Factors: To Report or Not to Report?

Consider these questions:

1. What type of data is involved?

Is it sensitive data like health information, biometrics, financial details? This would increase the risk level. Or is it publicly available information which poses less risk?

2. How many individuals are affected?

A breach affecting just one person may not require reporting, unless the impact is severe, context is everything. 

3. Can affected individuals protect themselves?

If passwords were exposed, individuals can reset them, posing less risk. If financial data was stolen, fraud risk is higher.

4. How easy is it to exploit the breach?

If the data was encrypted and remains unreadable, the risk is low. On the other hand, if it was sent to an unauthorised party, the risk depends on what they can do with it.

The tricky part about making the decision is that even with these guidelines, making the right call isn’t always easy. However, the ICO isn’t out to punish organisations for every mistake. What they really care about is:

• Is there a genuine impact on data subjects?

• Did you have security controls in place?

• Did you notify them within 72 hours, even partly?

• Have you taken steps to prevent a recurrence?

If you can demonstrate a well thought out approach to risk assessment and proactive mitigation, the ICO is likely to take a balanced approach.

My mantra is: when in doubt, document everything. If you’re on the fence about reporting, document your decision-making process. Even if you don’t report the breach, keeping an internal record will help demonstrate accountability.

At the end of the day, handling a breach properly is about minimising harm - both to individuals and your organisation’s reputation. So, next time you face this dilemma, take a step back, assess the risk, and ask yourself: Does this really need to be reported?

And if you’re still unsure, give us a shout, we would be more than happy to give you a steer!