Mishcon de Reya page structure
Site header
Main menu
Main content section

Mishcon Academy: Digital Sessions – Self-reporting to Regulators – advantages, imperatives and pitfalls

Posted on 17 March 2021

Mishcon Academy: Digital Sessions are a series of online events, videos and podcasts looking at the biggest issues faced by businesses and individuals today.

This session was recorded on 10 March 2021. The information in the film was correct at the time of recording.

To review the key insights from the event, please view the film or read the write up below.

What do we mean by self-reporting in this context?

By self-reporting, we mean the reporting by a business or individual to its regulator of a breach, potential breach or other shortcoming or wrongdoing.

How do the self-reporting requirements differ between regulators?

Each regulator will have its own self-reporting requirements, and in some cases, lack of them. Some examples of self-reporting requirements are:

The Gambling Commission

In the betting and gaming sector, in addition to the requirement to notify specific key events (e.g. someone reaching a 3% shareholding threshold), there are overarching requirements about notifying. In short, the Gambling Commission expects licensees to work with it in an open and cooperative way and to disclose to it "anything which the Gambling Commission would reasonably expect to know".

The Financial Conduct Authority

The FCA has various self-reporting rules. These range from notifying significant breaches of rules to notifying frauds. The FCA also has an overriding principle that requires those it regulates to be open and co-operative and to disclose appropriately anything which the FCA would reasonably expect notice of.

The Information Commissioner's Office (the "ICO")

The ICO, by reference to the requirements of the UK General Data Protection Regulation, will require the reporting of personal data breaches that involve a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Not every breach of the UK GDPR must be reported to the ICO. Businesses must report a personal data breach to the ICO, unless the breach is unlikely to result in risk to the rights and freedoms of individuals. In addition, if there is considered to be a high risk to the rights and freedoms of individuals, the business will also be required to notify the affected individuals.

The Competition & Markets Authority (the "CMA")

There is no mandatory reporting required by the CMA. However, the CMA have a generous leniency programme for businesses that confess to being involved in a cartel, that is any arrangement to fix prices, limit production, engage in bid rigging, or share markets or customers.

The first participant in a cartel who self-reports to the CMA can benefit from a highly attractive package of complete immunity from fines, criminal prosecutions and directors' disqualification orders. However, to gain the benefits of self-reporting to the CMA, the business must confess explicitly that it has engaged in anti-competitive behaviour. As such, they remain open to potential civil litigation for damages from any affected third parties.

What factors are relevant to the decision to self-report to a regulator?

In some cases, it will be obvious whether to self-report. In other cases, where the decision whether to report is less clear cut, a judgement call will need to be made. Factors that may go into that judgement call include the following:

Will the regulator find out independently?

Sometimes it is inevitable that a regulator will become aware of a breach. When it comes to personal data breaches for example, the ICO can often become aware of personal data breaches from the media, who increasingly hear of large breaches early on. Where the regulator is likely to find out in any case, that will likely be a factor in deciding whether to report first.

Consequences of not reporting

Where a regulator discovers a breach that was not self-reported, and takes the view that it ought to have been, that can play out badly in subsequent action taken by the regulator. For example, the failure to self-report may be an additional regulatory failing that is punished. Or, it may be an aggravating factor that increases the level of fine.

Positive Benefits of self-reporting

Quite apart from avoiding criticism for a failure to self-report, a positive benefit can be the ability to control the narrative and flow of information being provided to the regulator in relation to the breach. This can enable the regulated business to forestall a 'scatter-gun' approach to investigation of the breach by the regulator.

In some regulated sectors, self-reporting can also help reduce potential fines. For example, the Gambling Commission will take account of early and voluntary reporting of breaches and, in appropriate cases, credit may be given in the form of a discount to the penal element of any fine or payment in lieu of a penalty if a regulatory settlement is reached.

Risks of self-reporting

Self-reporting to a regulator is not without risks. For example, it can plainly lead to further action by the regulator such as an investigation, review, more intensive supervision or the imposition of a third party report.

In addition to that, there are other risks that may be less obvious. For example, in relation to personal data breaches, which can take place without any fault on the part of the self-reporting entity, there is a risk of unfounded complaints and legal action from data subjects. Matters can have a "long tail" that organisations may not have considered.

What internal procedures should organisations put in place in relation to self-reporting?

Training

Training is an essential part of ensuring that employees are alive to reporting requirements. Training should apply not only to compliance teams, but also to operational teams. Without it, such teams may not even know there is a need to report. Further, where there is specified timeframe for reporting to a regulator, it is all the more important that employees understand this. For example, personal data breaches which are notifiable to the ICO must be reported within 72 hours of "becoming aware". This means that it is crucial for organisations to be able to rely on employees to act quickly.

Corporate Governance Procedures

Organisations should have procedures in place which set out the individuals to whom an event or possible breach should be escalated. These procedures should describe the roles of individuals, their decision making powers and whether the related discussions should be dealt with on a 'need to know' basis.

Individual accountability

Regulators are increasingly focused on the issue of personal accountability.

For example, this is true of regulators in financial services, which has for some years been pursuing an individual accountability agenda. The most recent manifestation of this is its Senior Managers' regime.

By way of further example, the Gambling Commission has the same expectations of individuals in senior positions and personal management licence holders, as it has of the organisations it licenses. Where a licensee has its licence reviewed, it is increasingly common for personal management licence reviews to follow.

Conversely, the data protection regulatory framework primarily works on the basis of corporate responsibility.

 

Adam Epstein

My name is Adam Epstein.  I’m chairing today’s discussion.   The discussion today relates to the issues that you and your business need to consider about self-reporting to regulators.  Let me introduce you to our panellists.  So, the first panellist is a guest from outside, from the ICO, is Laura Middleton.  She’s the Group Manager for the ICO’s Personal Data Breach Service.  And then in terms of the Mishcon folk we have here Jon Baines.  Jon is a Senior Data Protection Specialist here.  Niki is a Partner in our Betting and Gaming Group.  And finally I probably tell you who I am, I’m a partner here.  I run the Regulatory Group and my particular expertise is in dealing with what we call distressed actions with the regulators.  So, any kind of tricky situations that people have.  So, let me start the discussion by just telling you a little bit about what we mean by self-reporting.  Because obviously there’s, there’s all kinds of reporting that folk have to do in the regulated sectors, you know, annual reports or transaction reports.  We’re not talking about that kind of reporting here.  The self-reporting that we’re talking about here is effectively when you’re having to confess to the regulator that you’ve done something wrong or there’s been some kind of a breach in order to give people a sense of where everyone’s coming from.  It would just make sense to start with a little bit of context.  So, Niki can you just tell us a little bit about what the gambling commission requires by way of self-reporting?

Niki Stephens

The requirements for businesses licensed by the gambling commission kind of fall into two categories.  There are a number of specific reporting requirements and then there are some more sort of general overriding principles.  And on the sort of more specific side, most of the time we’re looking at things that require notifications to be made to the regulator and those are known as key events and broadly speaking, those are events that could have a significant impact on the nature or structure of the business.  As I mentioned, there’s a number of other sort of specific notification requirements under the licence which would include a breach of the licence conditions themselves or the social responsibility code – provisions of the ALCCP but as I say, there are also some overriding disclosure requirements which are more relevant to this discussion in particular.  The Gambling Commission expects licensees to work in an open and cooperative way and to disclose to it anything which the Gambling Commission could reasonably expect to know.  And there’s a similar expectation that’s actually set out in the LCCP which includes anything that’s likely to have a material impact on the licensee’s business or its ability to conduct its activities compliantly.  So, those are the kind of situations where a number of different and sometimes competing factors will come into play. 

Adam Epstein

So, Laura can you tell us what the requirements are for self-reporting and why the ICO regards those requirements as being important. 

Laura Middleton

So, there’s a legal requirement to report certain personal data breaches to the ICO so, it’s, it’s not optional.  By personal data breach we mean a breach of security leading to amongst other things, the accidental or unlawful destruction, loss, disclosure, access to personal data so, it isn’t every time you might fail to comply with the, the UK GDPR.  Why it’s important is by telling the ICO that you’ve had a breach, you allow us the opportunity to provide you with advice and guidance at that really early stage.  If we know about the breach then it helps us kind of manage complaints and enquiries from people who might be affected.  We use the information that we get from data breach reports to look for trends.  So, for example we might look at particular sectors to see what the common breach types are in those sectors and then we try and use those trends to turn that into advice and guidance. 

Adam Epstein

I thought I’d bring in one of our competition partners and as if by magic here he is, Neil Bayliss.  If you could just explain to the audience how it is that self-reporting works in competition and how that obviously contrasts a bit and you can see a different impetus for that and for the other regulators. 

Neil Bayliss

Yeah so, as you know Adam the CMA is the UK regulator for competition and much consumer law as well.  There’s no mandatory reporting requirement as such.  What there is, is a very generous leniency programme encouraged, which encourages people to come forward if they have been a participant in a cartel.  The law allows them to come forward to CMA, fully disclose what they’ve done and participate in the investigation with the CMA.  It’s certainly better than the potential of a 10% of all turnover fine. 

Adam Epstein

Okay thanks so much for that Neil.  But what I really want to explore is the different elements that can go into decision-making that, that organisations may have about whether to self-report or not.  And one element realistically of that, the calculus that, that people make is the regulator’s going to find out anyway.  There’s an obvious benefit isn’t there to making a virtue out of it?  And that I think probably comes up a reasonable amount in data, which is why I wanted to ask Jon. 

Jon Baines

The advent of GDPR did a few things and one thing it did do was, was raise the awareness of the general public around the issues of data protection.  And what we see now is that increasingly the media and I’d include social media in that, pick up quite quickly on issues that, that might be data breaches.  So, what, what we have found with some clients is while they are internally just becoming aware of an issue, already the media are starting to run with it.  I think this raises quite interesting issues for controllers as to whether they need to notify the ICO.  Effectively, you only have to notify those breaches where there is likely to be a risk to the rights and freedoms of natural persons.  And that test, that threshold, is not always straight forward to test.  So, the question may be, ‘Should we make this notification anyway even if the threshold might not be met, do we make a notification because at least we are in, in some respects controlling the information flow?’

Adam Epstein

Laura, how about if somebody decided, they took the decision not to report but the regulator then found out about it and took a different view.  What would the ICO… what are the consequences of a failure to report if you, the ICO, think a report should have been made?

Laura Middleton

We do expect organisations when we’re carrying out an investigation to be open with us and so it’s possible that if we decided to move to a sanction that we would sort of take the fact that we found out about a breach in a way that wasn’t from a direct self-report, that we would take it into account there.  Or perhaps if we were taking action for the breach of security itself so failure to have some sort of control or measure in place to prevent the breach from happening in the first place we might then you know, almost add an additional line to that sanction about the failure to report. 

Adam Epstein

Can we… can we just think about maybe what some of the more positive reasons for reporting might be?

Niki Stephens

I mean one of the things that we’ve touched on already is this idea of being open and cooperative with your regulator and so one of the main advantages of self-reporting is that you avoid that criticism.  But there are some other sort of key advantages that I think are relevant to the decision-making and critically, or one of the key advantages is controlling that narrative and the flow of information.  You know, a carefully crafted notification provides the regulator with enough information to be able to properly understand and assess the issue.  You can also use it as an opportunity to try and forestall any questions that the regulator might have and the benefit of that is that if you provide too little information or they are bombarded with too much information you know, the regulator might not quite be able to make head or tail of what’s happening and take a more sort of scattergun approach in response, in a bid to find out the information it needs.  Ultimately the regulator’s interested in you know, working out whether there’s been a breach of a regulatory obligation or if there’s an ongoing risk to the licensing objectives or harm or risk to consumers and by controlling that narrative you can assure the regulator that you are continuing to take steps that are necessary to address those particular risks and minimise harm.  I think one of the other advantages that’s worth sort of touching on is the fact that if regulatory action does follow and there is a payment in lieu of a financial penalty made as part of a regulatory settlement, the Gambling Commission will take account of any early and voluntary disclosures that have been made. 

Adam Epstein

So, those are the kind of some of the positive reasons for why you might report.  The reasons why people might not want to report, I guess in some senses are very obvious.  What I wanted to think about actually is maybe some of the less obvious risks.  And I know that Jon from his work has got a good sense of other risks that may be less obvious to people. 

Jon Baines

A personal data breach as defined in Article 4.12 of the UK GDPR is a neutral thing and you should still notify this neutral even to the ICO.  I mention that just because there is, certainly with personal data breaches that go public, even though it doesn’t if you like constitute any concession of fault on your part, what we increasingly see is what the phrase I keep coming back to – the long tail of a data breach – and that really consists of potentially a regulatory investigation but also complaints and increasingly claims or letters before claim, menacing letters coming in and the solicitors take the view, the law firms that this happened, therefore you must be at fault therefore we’re going to threaten you with legal action. 

Adam Epstein

Are there circumstances in which an organisation might notify a data incident or breach to you and you then effectively lean on the organisation to contact its customers to make sure that they can be made good or people can make claims?

Laura Middleton

There is a requirement to notify data subjects in certain circumstances.  So, that is where the risk to those data subjects is considered to be a high risk.  So, it’s a higher risk than reporting to the ICO to start with.  So, if we thought we were in that territory then we could be, we would be encouraging the organisation to contact the affected data subjects and if that wasn’t done voluntarily then we have powers to compel the organisation to inform those data subjects.  On the subject of complaints, I would almost say I can, I can see that we were talking about maybe some of those breach reports that are made that don’t meet the threshold.  I think sometimes organisations almost like to get ahead of a complaint and make their notification to the ICO first, even if they’re not strictly required to do so, almost because they’re kind of seeing how things might play out with individuals in the future and they’re thinking, ‘Oh well,’ almost like, ‘If we come to the ICO then we can show that you know, we’re being open and honest’.  Making that notification to the ICO doesn’t necessarily kind of absolve you of dealing with those complaints.  So, if the ICO’s view is as Jon said, ‘Oh we can kind of…’ or ‘You’ve explained how this has happened and we can see how that’s happened and we don’t think there’s an underlying issue that’s led to this breach occurring.  So, from our point of view there’s nothing more for you to do’.  That kind of doesn’t get round dealing with that complaint and you might still have those complaints to deal with at a, at a later stage. 

Adam Epstein

So, what I’d like to talk about now is making sure that you as an organisation are in a position to recognise when you actually need to self-report and I know Niki’s got a few things to say about training and ensuring that people know what needs to be self-reported. 

Niki Stephens

Put simply, you know training is an imperative part of ensuring that there is a general awareness within the business of the licensee’s obligations to report and ensuring that that training extends beyond your sort of compliance teams.  You know, often we see businesses with very good training materials in place but they just aren’t delivered to the people on the grounds. 

Adam Epstein

In regulation there has been a real direction of travel over the last few years towards personal accountability.  If I could just ask really quickly, first Niki and then Jon, how they see accountability playing out in betting and gaming and in data where it’s less obviously developed at the moment. 

Niki Stephens

You know, as you say there’s that same expectation of people in senior positions and personal management holders, license holders, as it does of the licensee, the corporate entity expects those people to disclose anything to the Gambling Commission that it would reasonably expect to know, it expects them to be open and cooperative and what we’ve seen certainly in the last couple of years is that where the corporate entity has it’s license reviewed, it’s increasingly common for the personal management license holders to have their PML’s reviewed as well as a sort of follow-on to the main license review. 

Adam Epstein

Jon, it works somewhat differently doesn’t it, in data?

Jon Baines

The data protection framework works on the basis that the legal person that’s accountable is the organisation, the company and I just stress some people sometimes think, ‘Oh well, if there’s a data protection officer then it must be them who’s accountable’.  I think it’s crucial to say that’s, that’s neither the role nor the responsibility of a DPO to take everything on their shoulders, they effectively perform an advisory role within an organisation. 

Adam Epstein

In a, in a number of situations there might be a number of different regulators.  So, there could be different regulators domestically or there could be different regulators internationally and that might impact how people will decide to deal with self-reporting issues.  Do you want to just tell us a little bit about that?

Jon Baines

So, the UK as I guess everyone knows, is no longer part of the EU.  We’re now subject… companies controllers in the UK are subject to the UK GDPR.  The EU GDPR carries on regardless in the rest of Europe and what that creates is the slightly problematic position for companies who are operating in the UK and in European countries in that when it was all one thing, one EU and one GDPR there was the concept of a lead supervisory authority.  With the UK out of the EU now, there is a risk that you’re actually, the lead supervisory authority concept falls away for UK controllers and if you’re operating in European countries, you may find yourself having to make notifications to regulators in all of those countries and potentially be subject to regulatory investigations in all of those.  So, that’s a long answer to say it’s complicated. 

Adam Epstein

Thank you to all of you and what I hope people can take from it is that these are the things that don’t only apply to the particular regulated sectors that we’re talking about but can apply across the board and really I just want to say thank you very much and we hope to see you at our future events or digital sessions. 

The Mishcon Academy Digital Sessions.  To access advice for businesses that is regularly updated, please visit mishcon.com. 

The Mishcon Academy offers outstanding legal, leadership and skills development for legal professionals, business leaders and individuals. Our learning experts create industry leading experiences that create long-lasting change delivered through live events, courses and bespoke learning.

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else