GDPR: Data Breach Reporting

GDPR: Data Breach Reporting under the General Data Protection Regulation (EU) 2016/679 (GDPR) - Information Commissioner's Office (ICO)


The new reporting requirements under the GDPR in relation to the ways in which organisations identify, handle and respond to personal data breach of individuals data were recently published in a blog by the ICO.


The ICO declared that:

“… personal data breach reporting has a strong public policy rationale and is not necessarily about punishing organisations per se, but rather making them better equipped to deal with security vulnerabilities…That is, by helping organisations get data protection right now and in the future and therefore ensuring the public has trust and confidence in them”.


The blog on the GDPR offers practical advice to organisations:

  • On how to report data breaches to the ICO
  • What details would have to be provided
  • The levels of fines; and
  • The reason for reporting.  


Under the GDPR if there is a risk to a person's rights and freedoms as a result of personal data breaches, then it will be mandatory to report such personal data breaches.


Reporting: How much data has to be provided?

Under the GDPR, there is an obligation on organisations to report all data breaches 'without undue delay' and to provide certain details when reporting data breaches. Practically, at the time of reporting, the organisation can provide preliminary information and provide details at a later stage.

The ICO will take a pragmatic approach and will not expect a comprehensive report at the outset when a breach is detected.




The ICO has the power to fine any organisations for:

  • Failing to notify; and
  • Failing to notify in time.

The ICO will again take a pragmatic approach and fines may not always be issued and the level of fines will vary.

According to the ICO, some fines can be avoided if organisations are open and honest when reporting to the ICO and work alongside the basic transparency principles included in the GDPR.


Due Diligence

Before the implementation of the GDPR, it is imperative that organisations conduct due diligence to establish the types of incidents that might constitute a 'serious' or 'high' risk to their customers.



For any advice on GDPR you may contact us by email

​Contact us






Search Shadow


newsletter Shadow


Testimonial Bottom Shadow

testimonial Shadow Middle

More Testimonials

Testimonial Bottom Shadow