The UK data protection and privacy regulator no longer fines public electronic communication service providers (CSPs) if they fail to report a data breach within 24 hours.
The Information Commissioner’s Office (ICO) has said that CSPs (including mobile carriers and ISPs) are not liable for the £1000 fixed fine as long as they report the incident within 72 hours.
The previous rule was part of the Privacy and Electronic Communications Regulation (PECR) 2003 and superseded the GDPR breach notification obligations for CSPs.
“The ICO currently receives approximately 10,000 reports per year under regulation 5A PECR. Our analysis of these reports shows that the reported incidents are usually due to human error and are affected by We have found only a small number of individuals, and typically CSPs take steps to improve their internal systems to prevent similar errors from occurring,” the regulator explained.
“The ICO is mindful of the regulatory burden placed on CSPs to meet the short reporting deadline of 24 hours in situations where reported incidents are unlikely to pose a risk to individual rights and freedoms. “
The ICO says it expects CSPs to notify within one day if a breach could “adversely impact the personal data and privacy of subscribers and users.”
Changes to reporting regulations can be viewed in the context of a broader three-year strategy from an ICO called ICO25 designed to reduce the burden and cost of data protection compliance for organizations and focus limited resources appropriately. I can. You can make the biggest impact.
Some of these changes have raised eyebrows, such as the ICO’s decision to significantly reduce public sector fines.
Information Commissioner John Edwards has publicly defended the policy, arguing that such fines simply take money away from critical public services. His £500,000 fine imposed by the Cabinet Office has been reduced to just £50,000.
