Doncaster Office
Sheffield Office

To report or not to report? That is the question…

05 November 2018
to report or not report

It has been over 5 months since the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The introduction of the revamped data protection regime has certainly put a greater spotlight on businesses and organisations, such as schools and charities, in respect of data protection. 

There have been reported examples where a school has sent personal details of over 600 potential students to fellow applicants as well as large national company, Dixons Carphone Warehouse, which admitted a data breach involving 5.9 million payment cards and 1.2 million personal data records (thankfully for Dixons Carphone Warehouse this occurred before GDPR came into full effect so the penalties are not as severe).

One of the main reasons why businesses are taking more notice about data protection is the enhanced power the Information Commissioners Office has in respect of fines. The fines can go up to can go up to 20 million Euros or 4 percent of annual global turnover, whichever is higher. There is also the obligation to report certain data breaches within 72 hours. This means the fines, such as the one imposed on Facebook of £500,000 in respect of data breaches before the new regime, would have been much higher.

Not all cases, like the ones mentioned above, are as clear cut however. When deciding what is and is not a reportable breach there are a number of things to consider. A business or organisation has to ask themselves what risk the data breach poses on the rights and freedoms of the individuals.

This is where a business or organisation would have to assess on a case by case basis what has happened in respect of the data breach and how it impacts those individuals whose data has been breached. It is not always as clear cut as one might think, so the question remains to report or not to report? In any event it is practical to keep a log of all possible breaches, the assessment of the risk and what action has been taken.

If you would like to discuss any data protection issues you organisation might face further please contact 01302 965 249 or email at

We will be hosting a free breakfast seminar at Touchstone Education, 6-9 Railway Court, Doncaster DN4 5FB on the 29th November 2018 at 8AM.

Please contact T’ for more details or to reserve your place.