Data breach reporting: what does your business need to know?

There has been a substantial increase in the number of self-reported data breaches. That’s according to the Information Commissioner’s Office (ICO). In its annual report for 2017/18, the ICO reveals that there has been a 30% rise in self-reporting.

Are data breaches on the rise?

Yes. In fact, as well as the rise in self-reported breaches, the ICO also reports a significant increase in data protection complaints (up 15%).

But, as well as growth in cybercrime and negligence, the rise in self-reporting could be down to companies getting ready for new regulations; with rules which mean it is now mandatory to report data breaches. As such, it is anticipated that the 2018/19 report will show an even greater rise.

Data breach reporting before GDPR

Before the introduction of the General Data Protection Regulation (GDPR), there was no legal requirement for organisations to self-report data breaches (although it was encouraged).

However, certain public bodies were required to self-report serious breaches.

Therefore, it’s no wonder that the health sector was the leading area for self-reports in 2017/18 (36%), with education second (11%). That areas which have to report data breaches are far more likely to do so isn’t really a surprise.

What is interesting, is that in 60% of cases there was no action for the reporting data controller. What’s more, where action was required, a monetary penalty was only pursued in 0.3% of cases. But, with data breaches now big news, it is unlikely that the ICO will continue to act softly where companies fail in their data protection obligations.

Data breach reporting after GDPR

Today, GDPR has transformed the data protection landscape. Not only are there greater obligations on companies to keep data safe, but there are also increased responsibilities when it comes to reporting breaches. And, of course, potentially huge fines for non-compliance.

Today, UK businesses must self-report data breaches to the ICO unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. However establishing what type of breach is unlikely to result in such a risk isn’t easy to determine. Particularly where immediate decisions are needed due to the need to report without undue delay, and, where feasible, not later than 72 hours after discovering the breach.

How can business owners keep on the right side of the law, while not exposing themselves to any unnecessary exposure and investigations?  Particularly as the ICO has not yet published specific guidance on reporting.

Data protection solicitors

To ensure that businesses meet their obligations under GDPR, it is vital that proper processes and reporting mechanisms are in place to prevent a manageable situation escalating into a data breach nightmare. And this should happen before a breach occurs.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant. And, should a data breach occur, we offer expert advice on reporting, as well as providing a robust legal response and defence. So you come out of any crisis with your reputation, business and financial status intact.

As well as advising you on when to report and when not to report, our data protection solicitors can also help you to establish compliant processes for responding to data breaches made against your business.

With a stark rise in data breaches and cybercrime, the question whether to mandatory report will almost certainly become something your business will have to face at some point. And it’s important not to get the decision wrong if you want to avoid further action by the ICO.

Should you need legal advice or assistance in this area, please contact the Hayes Connor Law data protection team.

Our data breach defence solicitors have a wealth of experience in this relatively new and continually evolving field, so we understand the complexities involved. As such, we can help you with a wide range of advice and legal support. Our process is fully compliant with ICO guidance, and we never put your details at risk.