Reporting data breaches under GDPR: A guide for UK businesses

The General Data Protection Regulation (GDPR) mandates strict protocols for the reporting of data breaches in accordance with EU data protection rules. Organisations can be issued large monetary fines or face other disciplinary action for failure to comply with the data breach disclosure guidelines set out by the GDPR. Recent examples include fines of €475,000 for Booking.com in The Netherlands and €450,000 for Twitter in Ireland, both for failures to report data breaches to the appropriate data protection authorities within the 72-hour period from detection permitted under GDPR.

Since the GDPR was introduced in May 2018, UK organisations have been required to comply with its strict data protection procedures. Despite becoming a non-EU country in January 2020, the UK was handed full GDPR data protection adequacy in June 2021 after an initial temporary deal expired. This sees UK organisations able to continue to transfer data to and receive data from EU countries without the need for additional safeguarding measures.

However, for the UK to maintain such a status, UK organisations must sustain the required standard of data protection practices, including responsibilities around data breach reporting. Failure to do so could not only see businesses face penalties but could even potentially lead to the UK being stripped of its data protection adequacy status altogether. The UK’s EU/data protection adequacy status aside, if a UK organisation merely has an EU presence, EU customers, or EU employees, it’s also mandatory that they comply with GDPR. It’s therefore as important as ever for UK companies to follow GDPR policies with regards to data breach disclosure.

Here is a UK organisation’s guide to responding to data breach incidents in compliance with GDPR, encompassing the most important factors businesses must understand and steps that must be taken to adhere to the disclosure rules.

What is a reportable data breach under GDPR?

The first step in complying with GDPR data breach reporting rules is to have a clear understanding of what constitutes a reportable breach under the regulations and what the required actions are. This is not as straightforward as it seems and is an area where considerable misunderstanding persists. The GDPR has specific requirements around recording data breaches in a company’s records and reporting incidents to the UK data regulator, the Information Commissioner’s Office (ICO) or the individuals impacted.

“It is important to remember that all breaches need to be recorded in your company breach log (if you don’t have one, you should), but not all breaches need to be reported to the ICO,” Sara Newman, practice lead and co-founder of UK privacy consultancy Securys, tells CSO. “We’ve all sent an email that contains personal data to the wrong person; that’s a breach. Reportable? Maybe not. Recordable? Yes.”

A detailed analysis of the suspected breach is therefore required to fully gauge its status under GDPR, says Alex Hazell, head of EMEA legal at Acxiom. “The organisation’s data protection officer (DPO), or the individual responsible for managing data handling and management at a senior level, along with legal counsel, should be involved at all stages, so the information can be protected by legal privilege.”

The key to determining the reporting protocol is to ascertain whether any incident involving personally identifiable information impacts a living individual, causing them economic stress, social damage such as discrimination, financial loss, or reputational damage, says director of UK cybersecurity consultancy Cyphere Harman Singh. If so, it must be reported to the ICO and those affected. The ICO provides a useful self-assessment tool on its website that makes establishing if a breach must be reported easier for organisations. “If you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it,” says Newman.

How to report a data breach under GDPR

When a data breach needs to be reported under GDPR law, it must be done within 72 hours of the first discovery of the incident. Any report after that deadline is technically considered late. Reports to the ICO can be made by phone Monday to Friday 09:00 to 17:00, and online outside of those hours. “It is important that you have all the information the ICO needs to hand when reporting the breach, if possible,” Newman says. This includes:

• The categories and approximate number of individuals concerned
• The categories and approximate number of personal data records concerned
• The name and contact details of the DPO (if your organisation has one) or another contact point at your organisation where more information can be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach
• Where appropriate, the measures taken to mitigate any possible adverse effects

“You must report the breach even if you don’t have the full details within 72 hours. It is a good idea to explain the delay and tell the regulators when you expect to submit more information,” Newman adds. The ICO’s responsibility is then to decide if an organisation did enough to prevent the breach in the first place and measure various aspects of its post-breach management.

Risks of failing to meet GDPR data breach reporting requirements

Upon suffering a breach, organisations could be forgiven for feeling somewhat reluctant to disclose it for fear of further unwelcome repercussions, especially if they are yet to discover the full facts regarding the incident. However, any notions of avoiding or delaying disclosure beyond the permitted 72 hours are ill-advised, and not just because of the fines that can be levied for failing to report in line with the guidelines.

“Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7m or 2% of global turnover,” Newman says. “We don’t believe that the ICO has undertaken any specific enforcement action around late reporting of data breaches so far, but is this a risk you want to take?”

What’s more, fines can be combined with the ICO’s other corrective powers, under Article 58 of the GDPR, which include warnings and reprimands, carrying out data protection audits, giving data controllers deadlines for improving their systems, and restricting the use of some data, Newman adds. “The ICO can even order companies to correct or erase personal data they hold.”

What can prove even more detrimental to an organisation though is the reputational damage of failing to meet GDPR requirements, something that can be very difficult to repair. “Customers are increasingly concerned about their data privacy. Those who trust you are loyal. Those who don’t will take their business elsewhere and will be difficult to win back,” Newman says.

Hazell advises organisations to prepare their external communications teams to deal with public response to the breach. “Marketing and PR teams need to be briefed on what exactly happened and be prepared to handle any negative publicity or challenging questions from media outlets, customers, or other stakeholders who may be concerned.”

How data breach reporting will evolve

Customer demand for and sensitivity about data privacy is only going to escalate with time, something that will impact several aspects of the data breach reporting process for UK organisations. “We expect some changes to the UK data protection regime in the future and these changes might affect breach notification requirements,” Forrester Principal Analyst Enza Iannopollo tells CSO. “Considering other privacy and cybersecurity regulations in other geographies, it’s evident that breach notification requirements have become very common features of new bills and regulations.”

As customer purchasing power advances, they will reserve their business for those brands that reflect their own values, expecting more data transparency and faster reparations than companies might have felt were demanded of them to date, Newman adds. She predicts that data breach reporting will become easier and more frequent for organisations, including phone support over extended hours, faster online reporting, and more timely feedback from the regulator.

For lawyer and compliance expert Jonathan Armstrong, the changing nature of cyberthreats is also likely to impact data breach disclosure norms in the coming years. “One area could be heightened disclosure requirements to report ransomware payments,” something that regulators may want to crack down on as it could be judged as undermining genuine resilience and encouraging further attacks.

Ultimately, detecting a breach is not an easy task for organisations, and most only discover they have been targeted long after the event. Nonetheless, a meticulous, robust data breach reporting strategy can help businesses adhere to the GDPR’s stringent disclosure protocols and limit or prevent unwelcome regulatory ramifications beyond those of the data breach itself.