Mishcon de Reya page structure
Site header
Main menu
Main content section

More than one third of personal data breaches reported “late” to ICO

Posted on 1 December 2022

The UK GDPR requires that, where there has been a personal data breach ("PDB"), the controller must notify the Information Commissioner’s Office (ICO) within 72 hours (unless the PDB is unlikely to result in a risk to data subjects).

It goes on to say that this is where it is “feasible” to do so within that timeframe. The recitals to the UK GDPR explain that "[a PDB] may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons." 

The ICO's own website says, "You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay."

Failure to notify in a timely manner risks, in principle at least, whichever is higher out of a fine of £8.7 million or 2% of global annual turnover.

In light of this, it is interesting to note that figures recently published by the ICO, in connection with a new "Data Security Incident Trends" dashboard reveal that 37% of the 32,541 PDBs notified since 2019 have failed to be done so within 72 hours. However, within that same period, no fines for late notification were issued by the ICO. Indeed, none have ever been issued for such delays.

It is possible that some of those "late" notifications were ones where it had not been "feasible" to do so within 72 hours but, in any case, it seems clear that there is a common pattern of late notifications, with little if any sanction arising. 

For controllers who made or make late notifications, 72 hours - especially if that period straddles a weekend - is a very short time to identify whether a security incident actually meets the definition of a PDB in Article 4(12) UK GDPR, and whether it is likely or not to result in a risk to data subjects. The costs and effects of a premature unnecessary notifications can also be considerable.

It may well be that the ICO recognises this and exercises its discretion not to impose any sanctions for notification delays. However, there is evidence that at least some of the EU GDPR supervisory authorities take a different view. This may, therefore, be one of several areas that reveal a divergence between UK and EU regulatory practice

Related Content
News

Mishcon de Reya's Data Team ranked again in the GDR global top 100

News

Clarity of consent in fertility treatment

abstract black architecture News

Data breach crisis in central government, time for ICO to act?

News

New keeling schedules published for Data Protection Bill

News

ICO orders employer to stop using facial recognition and fingerprint scanning to monitor its employees

News

Mishcon de Reya advises Hewlett Packard Enterprise on £225 million deal to build the UK's most powerful AI supercomputer

data-blue News

Anonymisation in the life sciences sector: challenges and legal considerations

News

The Princess of Wales and possible data protection offences and infringements

Blue data abstract News

AI in the Workplace: data protection issues

Abstract crypto data News

CJEU rules in relation to personal data and advertising

News

UK Home Office data protection law breach: Jon Baines comments

Abstract glowing blocks News

Is time running out for the Data Protection and Digital Information Bill?

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else