The GDPR specifies that notification to the ICO should take place “without undue delay” and, “where feasible,” within 72 hours (or else notification needs to be accompanied with reasons for the delay). Notification to data subjects is not subject to the same time limit, simply being required “without undue delay.”
However, not all personal data breaches need to be notified.
Data controllers are only required to notify the ICO when a breach is “likely to result in a risk to the rights and freedoms of the individual.” The threshold for notifying individuals is higher. Notifications are only required where there is a high risk to their rights and freedoms. The rationale behind this is to avoid “notification fatigue” – a consequence of individuals being unnecessarily notified every time a breach occurs, even if small and insignificant.
To help you assess the risk attached to a breach, here are a list of factors to consider:
With respect to an availability breach, whilst this would not necessarily constitute a notifiable breach in most circumstances, individual data subjects may need to be notified in an organisation such as the NHS where the unavailability of patients’ medical records could present a serious risk to their health.
The GDPR allows for a two-stage notification process, meaning you can make the first notification as early as possible, even where you don’t yet know the full impact of the breach. This is particularly helpful given the 72-hour deadline for informing the ICO. Once the initial notification is made, you then have time to conduct a further investigation, after which you can submit a more detailed notification.
If you are ever unclear whether or not you are obliged to notify the individuals affected, you could liaise with the ICO. Working with your regulator means sharing the decision-making burden and, ultimately, being confident that whatever decision is made is the right one.