GDPR – Reporting Myths

For today’s blog, we’re addressing the myths surrounding the reporting requirements of GDPR and provide you with a plan to comply with the requirements.

Myth number 1 – ‘All personal data breaches need to be reported to the ICO’.

Under the GDPR legislation, it clearly states that you only need to report the breach to the ICO and your consumer, if it’s likely to result in a risk to people’s rights and freedoms’. So, you will only need to report the matter if it would involve the consumer potentially suffering a significant detriment by either the breach damaging their reputation, causing financial losses or any other significant economic or social disadvantage.

Myth number 2 – ‘If you don’t report the breach in time, you will always be issued with a substantial fine’.

The ICO have charmed in on this subject and have said that ‘the fine under the GDPR will be proportionate and not issued in the case of every infringement’. If it is clear you have tried to implement GDPR and you just got stuck along the way, the ICO is not going to fine you 20,000,000 euros. The ICO want you to be open and work with them, if you do, you could avoid a fine. Comforting, right?

This this doesn’t mean you can relax! If you systematically fail to comply with GDPR or disregard it, especially if the public has been exposed to a significant data privacy risk, then high sanctions will be given!

Myth number 3 – ‘All details need to be provided when first reporting the breach’.

It won’t always be possible to have all the necessary information at that moment of discovering the breach, or to obtain this within 72 hours. The ICO know this and don’t expect this. The ICO have asked for details surrounding the potential scope and the cause of the breach, the mitigation actions you are planning to take and how you plan to address the problem. You can provide more details at a later date.

Now the myths have been laid to rest, we can focus on getting a plan together!

Let’s break down the steps in your plan: 

  1. Raise awareness and train your staff – it is both essential and a requirement under GDPR. The quality of the organisations training is key for the EU regulators assessment on your commitment to data protection. Every employee involved should know how you as a business hold client’s data, e.g the process of collection, where it is stored and who has access to it etc.
  2. Explain to your employees what might constitute a breach as they need to know what to look for and who they will report their concerns to.
  3. Create a template that includes the information you need to provide the ICO with so this can be done efficiently within the 72 hours. You need to detail:
  • The scope of the breach;
  • The cause of the breach;
  • The action you intend to take to mitigate the detriment
  • How you intend to address the problem

(If you are unsure of the first two, you should address the potential scope or the potential cause of the breach).

  1. Detail the process of how you will access this information. Detail who holds this information and who you need to contact to receive it. For example; if a third party holds your data, create an emergency plan together to recover this information within the given time.
  2. Create a template of how you will inform the client of the breach. For example, will you email them, or write out to them? And pre determine what level of information you will disclose to them. You should include advice and as much information as possible to help them protect themselves.
  3. Last but not least, you need to document all the breaches, whether or not they were reported and learn from them. Write a full report on how and why the breach occurred, what steps you took to overcome this and what you are going to change to make sure this doesn’t happen again.