Do I need to report a data breach to the ICO during the coronavirus (COVID-19) epidemic?

read titleRead full title
Published on LexisPSL on 20/04/2020

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Do I need to report a data breach to the ICO during the coronavirus (COVID-19) epidemic?
  • Legal requirements
  • ICO guidance
  • Practical tips

This Q&A considers whether commercial organisations are obliged to comply with GDPR personal data breach reporting requirements during the coronavirus (COVID-19) epidemic.

Legal requirements

You must notify the ICO of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it. The only exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This will require some sort of preliminary assessment of the severity of the data breach in advance of making a decision about whether to notify.

This approach is endorsed in WP 29, Guidelines on Personal data breach notification:

‘After first being informed of a potential breach…or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as “being aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.’

Where the ICO notification is not made within 72 hours, you must give reasons for the delay.

Reports are made via the ICO’

Related documents:

Popular documents