Data controllers must notify a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware unless the breach ‘is unlikely to result in a risk to the rights and freedoms of natural persons’.
The supervisory authority in the UK is the Information Commissioner’s Office (ICO).
If a delay beyond 72 hours occurs, the controller must notify the ICO of the reason for the delay.
The information required by the ICO when notifying a breach is specified in Article 33 of the General Data Protection Regulations 2018 (GDPR) and comprises:
- the nature of the breach and, where possible, the categories and approximate numbers of data subjects and personal data records concerned
- the name and contact details of the data protection officer or other contact in your firm where more information can be obtained
- the likely consequences of the breach, and
- the measures you have taken or propose to take to address the breach including, where appropriate, measures to mitigate its effects.
As with most other aspects of GDPR compliance, controllers should document the breach and the steps taken to remedy its effects.
This will be important in demonstrating to the ICO that your firm has responded in a reasonable and proportionate manner in complying with its obligations.
Data processors have a duty to notify the controller without undue delay after becoming aware of a personal data breach.
The breach can be reported online on the ICO website.
For further information, see the Law Society’s Preparing for the General Data Protection Regulation: A guide for law firms.
Disclaimer: While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.
Have you got a practice question? Call the Practice Advice Service on 020 7320 5675 or email firstname.lastname@example.org
The Practice Advice Service is staffed Monday to Friday from 9am to 5pm.