Compare with different regulatory event:

Description

Amended ICO statement on data breach notification rule (Regulation 5A PECR)

On 2 February 2023, the Information Commissioner's Office (ICO) reviewed and updated its statement on the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR). Regulation 5A PECR implements the UK GDPR obligations, and it requires CSPs to notify the ICO of any personal data breach within 24 hours, otherwise, they may be fined GBP 1'000. However, in practice, the ICO notes that this produces a very high number of reports concerning small incidents that affect a limited number of users and are resolved by the CSPs. Therefore, in order to minimise the regulatory burden on CSPs, the ICO has announced that it will use its discretion not to fine CSPs that fail to report breaches within 24 hours, extending that limit to 72 hours. The extension of the reporting requirement does not apply to incidents that are likely to affect a high number of users.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
messaging service provider
Implementation Level
national
Government Branch
executive
Government Body
data protection authority

Complete timeline of this policy change

Hide details
2023-01-20
adopted

On 20 January 2023, the Information Commissioner's Office (ICO) published a statement on the obliga…

2023-02-02
adopted

On 2 February 2023, the Information Commissioner's Office (ICO) reviewed and updated its statement …