ISPs and telecommunication firms will be required to tell the Information Commissioner if they suffer a data breach.
The new rules would be the first data-breach notification requirements in the UK, an ICO spokesperson told PC Pro. While the regulation is yet to be finalised, it “looks set to happen,” the spokesperson said.
At the moment, organisations are not required to tell the data watchdog if they suffer a data breach, although many public sector groups – including the NHS – have their own policies requiring notification.
However, under a new EU directive, ISPs and telcos will have to tell the ICO and customers “in certain circumstances”.
The finer details of the new rules are still to be confirmed by the Depeartment of Culture, Media and Sport, but – like the new cookie rules – the UK is expected to simply copy over the EU legislation, a spokesperson for the department said. It will come into force on 25 May alongside other EU-dictated changes to UK communications regulations.
Notification laws, requiring companies to report leaked data, already exist in some US states and could be brought in under new EU plans, but critics believe such rules lead to “notification fatigue” and could do more harm than good.
Other changes
The ICO’s powers to fine up to £500,000 will also be extended to cover businesses sending spam email and texts, as well as companies using cookies to track users across websites without asking consent.
Despite having the power to issue such a large fine, the ICO has said it will not immediately target companies on the new cookie rules, as the Government is yet to issue guidance to companies about how the regulations will work.
The ICO has been under fire this week for not using its powers when it comes to data breaches.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
