The ICO exists to empower you through information.

Reporting processes

Share Download options

Pages

Format

Control measure: Procedures are in place to report personal data breaches to the ICO, where required.

Risk: If a personal data breach is not reported to the ICO within 72 hours, where required, this may be a breach of article 33, 5(1)(f) and article 32 of the UK GDPR.  

Ways to meet our expectations:

  • Identify and record the lead supervisory authority (for the UK, this is the ICO), particularly if there is potential for a cross-border breach. Include this in your breach response plan.
  • Put a process in place for reporting personal data breaches to the ICO. 
  • Detail in the report (as a minimum); 
    • the nature of the personal data breach; 
    • the number of people and records affected; 
    • a contact point (DPO); 
    • the likely consequences; and 
    • any remedial measures you’ve taken, or will take, to address the effects of the personal data breach.
  • Report a personal data breach to the ICO within the required timeframe, if a person’s rights and freedoms are affected, or are likely to be.
  • Put fall back procedures in place for: 
    • out of office hours personal data breaches; 
    • decision-maker absences; and 
    • alternative notification routes (eg if a  communication channel has been compromised by the personal data breach).
  • Record decisions not to report a personal data breach or the reasons for any delays, along with any advice received from the supervisory authority (or other third party).
  • Ensure the DPO is involved in assessing whether to report personal data breaches to the ICO.
  • Retain evidence of internal and external communications during any personal data breaches.

Options to consider:

  • Ensure the processes for reporting to the ICO include procedures with any joint controllers or processers.
  • Carry out a lessons learned debriefing, following any breach reporting to the ICO, to minimise the risks of future personal data breaches and improve processes.

 

Control measure: Procedures are in place to notify affected people of a personal data breach where appropriate.

Risk: If the personal data breach is not communicated to them as soon as possible, people will be unable to take necessary precautions. This may breach article 34, 83(2), 5(1)(f) and 32 of the UK GDPR.  

Ways to meet our expectations:

  • Put a process in place for informing people about a personal data breach, where necessary, and agree the potential ways to do so.
  • Have a communications template for sending clear and plain information to affected people, which includes: 
    • the name and contact details of the DPO;
    • the likely consequences of the personal data breach; and
    •  the measures taken to address the personal data breach.
  • Put in place an alternative notification method should contacting everyone individually require disproportionate effort. 
  • Document decisions involving disproportionate effort.
  • Put a process in place to inform people at a later point, if there is insufficient information to contact them at the time of the personal data breach or contact details have been lost as a result of the incident.

Options to consider:

  • Consider the audience who are receiving notification of the personal data breach in your communication plans and templates (eg by making alternative accessible formats available). 
  • Ask for feedback from your customers about whether your communications are in a clear format.