recent work

ICO updates breach notification guidance

The UK’s Information Commissioner’s Office (ICO) has updated its guidance for organisations on when they should notify it about data breaches. According to the latest guidance, where there is, “significant harm” resulting from the breach, either due to the volume of the data, its sensitivity, or both, there is a requirement that the matter should be reported to the ICO. An interesting twist is that the ICO is suggesting that the “significant harm” does not have to be actual harm – potential harm is also reportable.  To draw a parallel, this is similar health and safety “near miss” reporting.

Where there is little risk that individuals would suffer harm, the ICO says, “there is no need to report.” The ICO is leaving it up to individuals and companies (and the resulting case law) to find out what constitutes “significant harm” or “insignificant harm”.  By way of an example, the ICO cites an example of where a stolen laptop is properly encrypted, or where the subject of the breach is publically available information, there would be no requirement to report the breach.


It’s vitally important that companies keep track of breaches no matter how minor so that they can build up a database of data breaches and near misses and their causes.  All of this will result from having a data aware culture within a company.  Absolute Data can not only help with building and rolling out an internal data awareness campaign, but will also work with you to build and implement robust data management processes.