Reporting a breach - a quick guide to GDPR, PECR and NIS
There are certain security and data breaches which require an organisation to make a report to the Information Commissioner’s Office (ICO).
We take a look below at the reporting rules under the following regulations:
- a personal data breach under the UK GDPR or the Data Protection Act 2018;
- a Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider; and
- a notifiable incident under the Network and Information Systems Regulations 2018 (NIS Regulations).
UK GDPR and DPA 2018
The UK GDPR and DPA 2018 provide a process for organisations to report certain personal data breaches. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
You do not need to report every breach to the ICO. To determine if a breach must be reported, you need to consider the likelihood and severity of the risk the breach may have to people’s rights and freedoms. The higher the risk and greater the severity, the more likely it is that the breach will need to be reported. The ICO provides a useful self-assessment tool for data breaches to help determine if a report neds to be made.
If it is determined that a breach needs to be reported, this must be done within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must also be notified without undue delay.
Privacy and Electronic Communications Regulations (PECR)
The Privacy and Electronic Communications Regulations require certain organisations to notify the ICO if a personal data breach occurs. Specifically, these requirements apply to those organisations who provide services which allow members of the public to send electronic communications, such as telecoms or internet service providers.
A report to the ICO must be made within 24 hours of detection of the breach. A service provider must also notify its customer if the breach is likely to adversely affect them.
The ICO now provides a secure PECR security breach notification web form which allows organisations to notify the ICO of a breach online.
If an organisation makes a report under PECR, it is not required to also report the breach under the UK GDPR and/or DPA 2018.
The NIS Directive is intended to establish a common level of security for network and information systems. It applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). There is a general exemption for digital services that are small and micro-businesses, unless they are part of a larger group or are controlled by larger organisations.
You are required to notify the ICO of any incident that has a substantial adverse effect on the provision of your services.
There are a number of factors which should be considered when assessing if a notification needs to be made, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
You must notify the ICO no later than 72 hours of becoming aware of any incident. Although the ICO is required to share incident notifications with the National Cyber Security Centre, you should also consider making a voluntary report to them as well.
The ICO provides a NIS reporting form for organisations to report a breach under the NIS Directive.
If you have any queries regarding any reporting requirements, whether the various regulations apply to you, or you need help in assessing whether a breach requires reporting, please contact the Commercial Team who will be happy to advise.