Where a “personal data breach”, as defined in Article 4(12) of the General Data Protection Regulation (GDPR) has occurred, Article 33 requires data controllers to notify the fact to the Information Commissioner’s Office (ICO) without undue delay, and within 72 hours “where feasible” (unless it doesn’t meet the “risk” threshold for notification, as described elsewhere in Article 33).
However, a recent request to the ICO under the Freedom of Information Act 2000 (FOIA) has revealed that, from the available data, of the 21705 personal data breaches notified to the ICO since May 2018, 14,365 were notified within 72 hours, and 7340 were not – meaning that approximately one third of personal data breaches are reported later than within 72 hours.
The FOIA disclosure doesn't go into detail about whether there were good reasons for the 7340 "late" notifications, but it is worth noting that, although unwarranted late notification is an infringement of GDPR (attracting a potential maximum fine of €10m or 2% of global annual turnover) no enforcement action by the ICO has resulted from this. Nor indeed, has there been any indication that the ICO sees late notification as a systemic issue with UK controllers. Indeed, the ICO has been more likely to bemoan the fact that controllers are notifying in circumstances where they don't need to.
The period immediately following a data security incident can be a pressurised, confusing and confused time. It would not be surprising if some controllers failed to meet the strict time conditions laid down by GDPR, especially as the trigger for notifying is defined as when the controller becomes "aware". As the European Data Protection Board accepts, in some cases, it will be relatively clear from the outset that there has been a personal data breach, of which the controller is "aware", but in other cases, it may actually take some time to establish this.
No one should be surprised that some personal data breaches are reported outside the normal 72 hour time limit, but should it continue to happen in a third of cases it might be something the ICO has to take more seriously.