At a glance
- If a security breach has a ‘significant impact’ you must notify the ICO within 24 hours.
- You must also notify your users if they are likely to be affected.
- In some circumstances you or the ICO may also need to inform the wider public about a breach.
- What is a breach under eIDAS?
- What must we do if there is a breach?
- When and how do we notify the ICO?
- When and how do we notify those affected?
- Will the ICO notify anyone else?
A breach under eIDAS is:
“any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.”
A breach may occur if there is a deliberate attack compromising the integrity of your service. But a breach can also occur if there is an unauthorised access within your organisation or an accidental loss of integrity.
Not every incident relating to a lapse in security or integrity of a trust service is a breach. If there is no harm caused, or there is only a minimal effect, this will not qualify as a breach. However, you should still review your security measures.
If there is a breach, breach reporting rules are set out in article 19. You do not need to report every incident relating to a lapse in security or integrity of a trust service. However, where you have reason to believe that an incident has or is likely to have a significant (more than minimal) impact on the trust service or the personal data you hold, you need to:
- notify the ICO;
- consider whether to notify your users; and
- consider whether to inform anyone else who might be affected.
If you are not sure about whether the impact of an incident is significant or not, it is safer to report the breach.
You must notify the ICO within 24 hours of becoming aware of the breach, or sooner if it’s reasonable to do so.
Please use our eIDAS breach notification form.
If there has also been a personal data breach, there is no need to fill out a separate data protection security breach form as well. You should however include relevant details on the eIDAS breach notification form, and we may call you back if we need more information.
Please read the section Information security (Principle 7) in the ICO’s guide to Data Protection for more information on personal data breaches.