Does a company have to report a data breach?
The simple answer is – at the moment – no.
Companies and organisations are responsible for data breaches, but don’t have to report them, although it’s generally deemed as good practice to report a breach. However, they do not always have a legal obligation to report a data breach under the Data Protection Act (DPA), but this is all set to change in 2018 when the EU GDPR comes into force.
So, in the near future, reporting certain breaches will actually be mandatory…
What is a data breach?
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual who isn’t authorised to do so. This may mean that someone other than the data controller has had access to the data, but it can also mean that someone within the organisation has accidentally lost the data.
Who are the ICO?
The Information Commissioner’s Office (ICO) is a public authority responsible for the enforcement of the DPA. The ICO provides companies and organisations with a ‘data protection breach notification form’, allowing data controllers to report a breach of the DPA. Again, this isn’t mandatory, but it’s seen as good practice.
There are generally three types of breaches that can be reported to the ICO:
- Breach of the DPA
- A Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider
- The unlawful obtaining of personal data (aka section 55 DPA breach)
The ICO details seven steps that are important for organisations to notify the ICO of in the event of a DPA breach:
- Organisation details (is it the data controller who is in respect of this breach?)
- Details of the data protection breach (details about the incident and prevention methods, if any)
- What personal data is at risk?
- Containment and recovery (have any mitigation actions been taken?)
- Training and guidance (does the organisation have adequate training on the requirements of the DPA?)
- Are there any previous contacts with the ICO?
- Any further information that would be important in the ICO’s investigations
Why companies may not want to report a data breach
On face value, reporting a data breach may seem to be degrading and damaging on your company. However, the long-term effects of reporting a data breach can actually be positive. Reporting it and owning up could maintain and enhance relations with customers and allow ‘swift containment and recovery of the situation’, as the ICO states.
By not reporting it to authorities, the harm caused by the data breach could potentially be greater. An example of this would be tech giant Yahoo’s data breach that happened in 2014, but took two years to surface, with some one billion accounts affected. If they had reported about the breach sooner, perhaps they could have minimised any damage caused and prevented soiling relations between themselves and their users.
The prayer for companies to disclose their security breaches has been answered, as the EU General Data Protection Regulation (GDPR) will come into force in 2018.
Next year, reporting some breaches will be mandatory!
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with a * are required.