Data Breach Reporting

Foster A Culture Of Reporting

A data breach is a very serious thing.  The implications can be severe.  If someone within your organisation screws up there is one thing you need to be absolutely clear about.


You need to make sure that people are both empowered and encouraged to report data breaches.

If you operate your business with a punitive or blame culture it is less likely that people will report breaches.  So make sure you don’t shoot the messenger and that the messengers understand they will not be shot.

If people are scared to tell you they might cover up a data breach.  Remember, you are required to report data breaches to the ICO.  If they are serious enough, you may also need to tell the private individuals involved so that they can take steps to protect themselves.

A cover up could result in real harm being visited upon the Data Subject.  And if that happens they might be motivated to take legal action against you.

A Procedure For Data Breach Reporting

Data breaches should be reported to the Data Controller.  If you are the responsible director of your company, this means you.  You may want to put a small team around you consisting of someone who knows about the process, someone who knows about GDPR (your DPO if you have one) and anyone else you think appropriate.

First of all you need to identify if you really do have a breach.

If there is a breach, you only need to report it if there is a risk to the rights and freedoms of individuals.  A risk of harm.

Depending on the nature of the risk to the rights and freedoms of individuals, you need to report it to those affected to allow them to take steps to protect themselves.

Your Data Breach Notification Should Contain

– The nature of the personal data breach including, where possible:

— the categories and approximate number of individuals concerned; and

— the categories and approximate number of personal data records concerned;

– The name and contact details of the Data Protection Officer (if your organisation has one) or — other contact point where more information can be obtained;

– A description of the likely consequences of the personal data breach; and

– A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Source:  Information Commissioner’s Office, Overview of the General Data protection Regulation (GDPR) 17th August 2017, licensed under the Open Government Licence

Reporting A Data Breach To The ICO

As a Data Controller you will be registered with the ICO.  To be clear you need to register, the ICO isn’t going to come along and invite you to register.

Your registered status with the ICO means that they know who you are.

Reporting a data breach is as simple as sending an email to the ICO with a completed copy of their notification document attached.  You can download the document from the ICO website..  It is not a convoluted process by any means.    The report tells them you have a data breach, when it occurred, the circumstances of the incident, whom it affects and what you are doing about it.

They will acknowledge receipt and then give you a decision in due course.