ICO warning over personal data breaches

  • Print
  • Share
  • Comment
  • Save

Related images

  • Datakey

Forthcoming data protection reforms will impose new notification requirements on companies in the event of a personal data breach, the Information Commissioner’s Office has warned.

A new EU General Data Protection Regulation will replace all data protection legislation in EU member states, including the UK’s Data Protection Act (DPA), without the need for further national legislation. It is expected to come into force in 2018.


Publishing a 12-step checklist this week for companies to ‘take now’ to prepare for the forthcoming regulation, the ICO says companies must have the right procedures in place to detect, report and investigate a personal data breach.

Some organisations are already required to notify the ICO when they experience a personal data breach. However, the regulation will introduce a ‘breach-notification duty across the board’ which, the ICO said, will be ‘new’ to many organisations.

Organisations operating internationally will also need to determine which data protection supervisory authority they come under.

The ICO said the regulation contains ‘quite complex’ arrangements for working out the correct authority that will take the lead when investigating a complaint with an international aspect.

‘Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made,’ it says.

‘In traditional headquarters this is easy to determine. It is more difficult for complex, multi-site companies where decisions about differing processing activities are taken in difference places.’

The ICO’s head of policy, Steve Wood, said people were beginning to ‘develop a plan’ and wanted to take ‘key steps’ ahead of the regulation’s implementation.

In a blog post on the ICO’s website, Wood said: ‘Many of the principles in the new legislation are much the same as those in the current DPA. If you are complying properly with the current law, then you have a strong starting point to build from.

’But there are important new elements, and some things will need to be done differently.’

The new law, he added, would ‘enhance the rights of data subjects and place more obligations on organisations to be accountable for their use of personal data’.

Have your say

You must sign in to make a comment

  • Print
  • Share
  • Comment
  • Save

Lord Keen

LAA invitation highlights yet another ‘advice desert’

26 October 2016By

Invitation issued for Cambridgeshire as Ministry of Justice says it is considering LASPO review date.

Mr Justice Turner

City firm defeats £15m negligence claim over extent of retainer

26 October 2016By

Former Ernst and Young partner sought to make a claim in relation to insurance settlements.

David Green

SFO says ‘independence is crucial’ amid takeover fears

26 October 2016By

David Green tells justice committee that Serious Fraud Office must retain Roskill method.

Browse over 4,300 law jobs Get jobs by email


Sign up for email news alerts

Daily Update. Keep abreast of the latest developments that affect the profession

Legal Services

Browse the magazine

Current Issue

The Gazette offers you up-to-the-minute national and international news, opinion, features, in-depth articles plus a jobs and appointments section.

Please click the link below for a digital edition