Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
Find up-to-date guidance on points of law and then easily pull up sources to support your advice with Lexis PSL
Check out our straightforward definitions of common legal terms.
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Access our unrivalled global news content, business information and analytics solutions
Insurance, risk and compliance intelligence using big data, proprietary linking and advanced analytics.
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Discuss the latest legal developments, ask questions, and share best practice with other LexisPSL subscribers
This Q&A considers whether commercial organisations are obliged to comply with GDPR personal data breach reporting requirements during the coronavirus (COVID-19) epidemic.
You must notify the ICO of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it. The only exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This will require some sort of preliminary assessment of the severity of the data breach in advance of making a decision about whether to notify.
This approach is endorsed in WP 29, Guidelines on Personal data breach notification:
‘After first being informed of a potential breach…or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as “being aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.’
Where the ICO notification is not made within 72 hours, you must give reasons for the delay.
Reports are made via the ICO’s Report a breach page. This includes information about reporting the breach by telephone and/or using an online Personal data breach reporting form.
Your report must include the:
• nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
• name and contact details of the data protection officer or other contact point where more information can be obtained
• likely consequences of the personal data breach
• measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effect
Where you cannot provide the required information within 72 hours, the GDPR allows this to be provided in phases ‘without undue further delay’.
You should therefore consider notifying the ICO of the breach when you become aware of it, and submit further information as soon as possible. If you know you won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to the ICO, stating when you expect to submit more information—and the reason for the delay, particularly if this is related to coronavirus.
For more guidance, see Practice Note: GDPR compliance—managing personal data breaches—Notifying the ICO.
The ICO acknowledges that the coronavirus public health emergency means organisations are facing staff and operating capacity shortages, together with acute financial pressures which are impacting their finances and cash flows. The ICO further states that as a public authority, it must act in a manner which takes into account these circumstances and it:
• recognises the current reduction in organisations’ resources could impact their ability to comply with aspects of the law
• will focus its efforts on the most serious challenges and greatest threats to the public
• will be flexible in its approach, taking into account the impact of the potential economic or resource burden its actions could place on organisations
On the specific issue of data breaches, the ICO says:
‘Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.’
On discovering a data breach, the first thing you should do is assemble a data breach team, comprising the various people within your organisation who are best placed to respond to the breach, eg Data Protection Officer (if you have one), head of IT, head of compliance/legal and, if employee data is involved, your head of HR.
Having assembled your data breach team, you can then take the following priority action:
• conduct a preliminary assessment of the breach
• contain the data breach and (so far as reasonably practicable) recover, rectify or delete data that has been lost, damaged or disclosed
If, due to challenges presented by the coronavirus, you have a choice between deploying your available resources on assessing and containing the breach or collating the information required to notify the ICO, focus on the former. However, make a record of the reasons for your decision, so you can justify your actions if/when you do notify the ICO. If necessary, you can then make a skeleton notification to the ICO and provide further information at a later stage.
For guidance on the immediate actions to consider when handling a personal data breach, see Precedent: Data breach—panic sheet. See also Practice Note: Managing a personal data breach—process flowchart—GDPR and Precedents:
• Personal data breach plan—GDPR compliant
• Data breach assessment and action plan
Free trials are only available to individuals based in the UK
* denotes a required field
0330 161 1234