In the final blog of our series on data breach reporting, we look at when it is necessary to report a personal data breach to individuals whose data has been affected.
There is a higher threshold for reporting data breaches to individuals than to the ICO. Not all data breaches that must be reported to the ICO will entail mandatory notification of individuals. There is an obligation to notify individuals “without delay” where the breach is likely to result in a high risk to their rights and freedoms. The GDPR also requires the communication to be in clear and plain language.
There are some exceptions to the obligation to notify individuals where:
- the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; or
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise; or
- it would involve disproportionate effort. But in such a case GDPR instead requires a public communication or similar measure to inform individuals in an equally effective manner.
The ICO wishes to avoid ‘notification fatigue’, to ensure that individuals affected by serious breaches do not become complacent. Too many notifications would result in their being ignored, and individuals are then unlikely to engage or take appropriate steps to protect themselves. In addition, individuals may experience unwarranted distress if they are informed of breaches which are unlikely to result in a risk to their rights and freedoms.