The UK’s data protection and privacy regulator will no longer fine public electronic communications service providers (CSPs) if they fail to report a data breach within 24 hours.
The Information Commissioner’s Office (ICO) said that as long as CSPs – including mobile carriers and ISPs – report any incidents to it within 72 hours they will not be liable for a monetary fixed penalty of £1000.
The previous rules were part of the Privacy and Electronic Communications Regulations 2003 (PECR), and for CSPs took precedence over GDPR breach notification obligations.
“The ICO currently receives around 10,000 reports per year under Regulation 5A PECR. Our analysis of these reports indicates that incidents notified to us usually result from human error and only affect a small number of individuals. Typically, CSPs then take action to improve their internal systems to prevent similar errors occurring,” the regulator explained.
“The ICO is mindful of the regulatory burden on CSPs in meeting the short 24-hour reporting deadline in circumstances where the incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms.”
The ICO said that it still expects CSPs to notify within a day if a breach may “adversely affect the personal data or privacy of subscribers or users.”
The changes to reporting regulations can be seen in the context of a wider three-year strategy from the ICO, dubbed ICO25, which is designed to reduce data protection compliance burdens and costs for organizations, and more pertinently focus its limited resources on areas where it can have the greatest impact.
Some of these changes have raised eyebrows, such as the ICO’s decision to massively scale back public sector fines.
Information commissioner John Edwards publicly defended the policy, claiming that such fines only take money away from vital public services. One £500,000 fine levied at the Cabinet Office was reduced to just £50,000.