The UK’s data protection and privacy regulator will no longer fine public electronic communications service providers (CSPs) if they fail to report a data breach within 24 hours.
The Information Commissioner’s Office (ICO) said that as long as CSPs – including mobile carriers and ISPs – report any incidents to it within 72 hours they will not be liable for a monetary fixed penalty of £1000.
The previous rules were part of the Privacy and Electronic Communications Regulations 2003 (PECR), and for CSPs took precedence over GDPR breach notification obligations.
“The ICO currently receives around 10,000 reports per year under Regulation 5A PECR. Our analysis of these reports indicates that incidents notified to us usually result from human error and only affect a small number of individuals. Typically, CSPs then take action to improve their internal systems to prevent similar errors occurring,” the regulator explained.
“The ICO is mindful of the regulatory burden on CSPs in meeting the short 24-hour reporting deadline in circumstances where the incidents being reported are unlikely to result in any risk to individuals’ rights and freedoms.”
The ICO said that it still expects CSPs to notify within a day if a breach may “adversely affect the personal data or privacy of subscribers or users.”