When to report a data breach

Preparing for the General Data Protection Regulation (GDPR), which rolls out a tighter set of rules, can ensure businesses stay compliant with the new requirements.

The Information Commissioner’s Office (ICO) recommends a number of steps to get everything in place – perhaps the most important being an awareness of what the new rules mean and your responsibilities as someone who holds other people’s data in staying within them.

It’s easy for businesses to be on edge without this clarity, and to discourage a tidal wave of issue reporting from nervous enterprises afraid of being put through the wringer, the ICO offers guidance on when a breach should be reported, and when it’s acceptable to handle the matter internally.


When to report a breach
While certain organisations are already required to report certain types of breaches, other entities only have a duty to inform the ICO if it’s going to have a negative impact on those who are linked to the data.

The nature of the breach, as well as the size, determines how serious it is – and all major issues should be reported.

For example, when login details of thousands held by a online store are set loose and vulnerable to hackers, this could cause the customer financial loss and contravene their confidentiality.

Another example might include private emails being made public, damaging the reputation of the sender, recipient, or others implemented in the conversation.

Not only would you need to inform the ICO, but you will also have a duty to notify those who’ve been affected.

The ICO should be contacted with any notable breaches within 72 hours of becoming aware of it if the business involved is to lessen the chances of a heavy fine, although carelessness around data will likely result in a financial penalty.


Under the new GDPR, failing to notify the ICO of a significant breach can incur a fine of up to 10 million Euros or 2 per cent of your global turnover, on top of the fine for the breach itself.


When not to report a breach
Not all data is sensitive or is going to cause a problem if it gets out into the open. Examples include an internal staff contact list, or a marketing list of names to be targeted for a product, providing the product isn’t especially sensitive.


For more information on how regulatory fines fit into your commercial insurance package, get in touch with Edwards Insurance Brokers.