The Information Commissioner has published an addition to her GDPR blog in respect of data breaches and their management. There has been considerable coverage in the press stating that GDPR means that all breaches need to be reported to the ICO. It states:
"It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.
So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.
Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulation (PECR) – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be new requirement for many.
These new reporting requirements will mean some changes to the way businesses, organisations and even the ICO identify, handle and respond to personal data breaches.
The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved."
The ICO points to pan-European guidance being developed, as well as to some of the content in their own overview of GDPR.
Other myths are busted in this very useful blog; and there is confirmation that "up until 25 May 2018 all personal data breaches will be assessed under the current Data Protection Act."
To find out more about data breach management, come to one of our courses:
Data Breach Management and Investigations training Manchester on 5th October 2017. Or call 01344 636388 or email firstname.lastname@example.org for more information.