Data Protection investigatory priorities

Posted: June 7, 2023 // Author: Board Originator Ltd.

The key priorities to the Information Commissioner’s Office (ICO), when it chooses the priority cases of data breach that it should look into more closely, on a risk-based approach, are:

  • Those with a higher number of persons affected by data breach
  • Those incidents where the time taken to report the issue to ICO was too long
  • Incidents where the type of breach and its capacity to do harm are bigger

The ICO has prioritised looking into breaches where high numbers of persons were affected.   That is sensible use of their limited resource, and not a reason to let standards drop, but the reality of their reach.  More than half of ICO investigations involved looking at firms who made mistakes affecting more than 100,000 people. 

Prompt action by firms, including reporting to ICO when data breach occurs, is key.  It means firms need to report to ICO in less than 7 days (presumably calendar days) and to correspond with affected persons suitably too.  That means really prompt action.  The ICO has shared that it will look harder at firms who are slow to report to ICO.

There are four portals on the ICO website for reporting data breaches:

  • One for where breach has caused loss, alteration or disclosure of personal data
  • Another for communication services security breaches
  • For digital service provider breaches, and
  • In Trust services such as identity verification breaches

The type of breach most likely to result in close scrutiny by ICO is a malware incident, at this present time. That is presumably the case because cyber breaches can quickly infect other aspects of a person’s life, and reach connected systems like their banking, and so on.  A malware and cyber problem is more likely to do more harm, relatively speaking, than an email sent to the wrong address or without heed to the unsubscribe list (which does nonetheless need to be corrected).

Disclaimer

Any and all blogs by Board Originator Ltd and any of its employees are for interest of the readership only.  We do not endorse any news or information we may publish in our blog.  Our blog is not intended to and does not constitute legal or professional advice to any person or corporation.  Our posts are general alerts or updates to topics that may interest our followers and consist of a brief overview therefore are incomplete on information and may contain errors at any time.  Readers are not to rely on our blog content and those that do rely, do so at their own risk.  We accept no responsibility to readers for our blog and we will not be held liable for statements in or third party links within our blogs.  Any common law liability is also excluded as permitted by law.  We do not accept any liability for damages whether direct, indirect, special, consequential or otherwise under any circumstances, whether foreseeable or otherwise.  Please also see our extensive website terms and conditions in the footer of our website.