Data-breach probes will focus on repeat failures, UK’s privacy chief says
24 February 2017. By Vesela Gladicheva.
British companies that show a data breach was a "one-off" incident and have "genuinely good" privacy practices in place will escape investigations under new EU privacy rules set to come into force in 2018, the UK's data-protection chief said.
"When a company reports a breach to us, if we know that the company is ready to demonstrate that they have genuinely good processes in place, and can demonstrate this was a . . . one-off, a gap, then we're not going to investigate," Elizabeth Denham told a gathering* of privacy experts in London today.
"We're going to take note and we're going to monitor," said the Canadian national, who has headed the UK's Information Commissioner Office since last July.
Under the EU's General Data Protection Regulation, which will come into force in May 2018, companies must report data breaches "without undue delay and, where feasible, not later than 72 hours" after discovering them.
"It's organizations that don't have their accountability act together that will get more serious [scrutiny]," the enforcer said.
Denham said her agency is preparing to handle data breaches under the new rules, and that it would learn from its counterparts in the US, where the obligation to report breaches is already in place.
She said this wasn't the hardest task for the ICO in its preparation for the EU's new rulebook. "This is not rocket science," she said.
Denham said in a speech last month that companies must stop seeing privacy rules as a "box-ticking exercise," and "work on a framework that can be used to build a culture of privacy that pervades an entire organization".
She also said businesses will be accountable for protecting customers' privacy and that they must take measures to mitigate risks.
* "Data Protection 2017," Direct Marketing Association, London, Feb. 24, 2017.