In what will be a surprise move to many, the ICO has issued a statement to UK public electronic communications service providers ("CSPs") regulated by the Privacy and Electronic Communications Regulations 2003 (known as "PECR"): you may have more time to notify a personal data breach than you previously had.
Regulation 5A of PECR sets out the most stringent notification requirements for personal data breaches under any cybersecurity regime in the UK. CSPs are currently required to notify a personal data breach to the ICO within 24 hours of becoming aware of the incident. Failure to comply with the notification rules under PECR can attract a fixed monetary penalty of £1,000. The ICO will also take into account any failure to report on time when considering any wider enforcement action.
However, in a statement published on 2 February 2023, the ICO has indicated that it may loosen the strict 24-hour requirement in certain circumstances. Following feedback from stakeholders, the ICO stated that it would exercise its discretion not to pursue CSPs that take longer than 24 hours to notify an incident, provided that the incident is reported within 72 hours and is unlikely to harm data subjects.
The ICO's decision was in part prompted by ICO25 – the ICO's three-year strategic plan. One of the central aims of ICO25 is to reduce certain costs and burdens involved in data protection compliance and to focus the ICO's resources on the most impactful enforcement.
Many will welcome this statement from the ICO, which can be seen as an early indication of a more pragmatic and business-friendly approach from the ICO in line with its ICO25 commitments.
Read on for 5 key takeaways from the statement.
- Who will this impact? The PECR notification rules only apply to CSPs: companies providing services which allow members of the public to send electronic messages (including telecoms providers and internet service providers). Further guidance on whether organisations are CSPs can be found here. Organisations subject to the UK General Data Protection Regulation ("UK GDPR") will remain unaffected unless they are also regulated under PECR.
- Will the ICO apply its discretion in all circumstances? The ICO makes it clear that it will allow CSPs to notify within the longer 72-hour period only where the incidents are "unlikely to result in any risk to individuals' rights and freedoms". The statement emphasises that the ICO will still expect notification of the incident within 24 hours where it is likely to impact adversely the personal data or privacy of subscribers and users.
- How will this align with UK GDPR notification requirements? PECR and the UK GDPR apply in tandem, however, the ICO currently requires that CSPs only make a single notification: CSPs should therefore continue to notify the ICO in the event of a personal data breach (either within 24 or 72 hours, depending on the level of likely harm to individuals) to cover obligations under PECR and the UK GDPR.
- Why has the ICO taken the decision to make this statement? In giving its reasons for issuing the statement, the ICO refers to the circa 10,000 PECR notifications it receives under Regulation 5A each year, the majority of which result from human error and affect only a small number of individuals. While the ICO will still expect that breaches are notified within 24 hours where they adversely impact individuals, the ICO is willing to loosen the burden on organisations for minor low-risk breaches that are unlikely to give rise to harm to any individuals.
- What should CSPs do going forward? As those who have experienced a personal data breach will know, the early hours of an incident are critical. CSPs should ensure that they accurately map the personal data held on their systems and have an up-to-date and comprehensive incident response plan in place. During these crucial hours, CSPs may breathe easier where any personal data impacted is unlikely to impact adversely the personal data or privacy of individuals – in such cases the CSP will likely be able to notify the ICO within the longer 72-hour window.
It's never a bad time to consider your cybersecurity preparedness. The Orrick Cyber team regularly advises clients on their cybersecurity programs while helping organisations to achieve right-sized market-leading cyber preparedness.