The ICO Changes its Approach to the 24-Hour PECR Notification Rules: 5 Key Takeaways | Orrick, Herrington & Sutcliffe LLP – JDSupra
In what will be a surprise move to many, the ICO has issued a statement to UK public electronic communications service providers (“CSPs“) regulated by the Privacy and Electronic Communications Regulations 2003 (known as “PECR“): you may have more time to notify a personal data breach than you previously had.
Regulation 5A of PECR sets out the most stringent notification requirements for personal data breaches under any cybersecurity regime in the UK. CSPs are currently required to notify a personal data breach to the ICO within 24 hours of becoming aware of the incident. Failure to comply with the notification rules under PECR can attract a fixed monetary penalty of £1,000. The ICO will also take into account any failure to report on time when considering any wider enforcement action.
However, in a statement published on 2 February 2023, the ICO has indicated that it may loosen the strict 24-hour requirement in certain circumstances. Following feedback from stakeholders, the ICO stated that it would exercise its discretion not to pursue CSPs that take longer than 24 hours to notify an incident, provided that the incident is reported within 72 hours and is unlikely to harm data subjects.
The ICO’s decision was in part prompted by ICO25 – the ICO’s three-year strategic plan. One of the central aims of ICO25 is to reduce certain costs and burdens involved in data protection compliance and to focus the ICO’s resources on the most impactful enforcement.
Many will welcome this statement from the ICO, which can be seen as an early indication of a more pragmatic and business-friendly approach from the ICO in line with its ICO25 commitments.
Read on for 5 key takeaways from the statement.
It’s never a bad time to consider your cybersecurity preparedness.
This content was originally published here.