The UK GDPR requires that, where there has been a personal data breach ("PDB"), the controller must notify the Information Commissioner’s Office (ICO) within 72 hours (unless the PDB is unlikely to result in a risk to data subjects).
It goes on to say that this is where it is “feasible” to do so within that timeframe. The recitals to the UK GDPR explain that "[a PDB] may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons."
The ICO's own website says, "You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay."
Failure to notify in a timely manner risks, in principle at least, whichever is higher out of a fine of £8.7 million or 2% of global annual turnover.
In light of this, it is interesting to note that figures recently published by the ICO, in connection with a new "Data Security Incident Trends" dashboard reveal that 37% of the 32,541 PDBs notified since 2019 have failed to be done so within 72 hours. However, within that same period, no fines for late notification were issued by the ICO. Indeed, none have ever been issued for such delays.
It is possible that some of those "late" notifications were ones where it had not been "feasible" to do so within 72 hours but, in any case, it seems clear that there is a common pattern of late notifications, with little if any sanction arising.
For controllers who made or make late notifications, 72 hours - especially if that period straddles a weekend - is a very short time to identify whether a security incident actually meets the definition of a PDB in Article 4(12) UK GDPR, and whether it is likely or not to result in a risk to data subjects. The costs and effects of a premature unnecessary notifications can also be considerable.
It may well be that the ICO recognises this and exercises its discretion not to impose any sanctions for notification delays. However, there is evidence that at least some of the EU GDPR supervisory authorities take a different view. This may, therefore, be one of several areas that reveal a divergence between UK and EU regulatory practice