What is ‘high risk’ in the context of data breach reporting or notification under the GDPR?
According to the ICO’s website on breach notification:
When do individuals have to be notified?
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.
A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
However, note the ‘fact’ for ‘myth #5′ on the breach reporting blog:
And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.
So, in essence, organisations will need to assess the ‘no risk, risk and high risk’ to people’s rights and freedoms. This assumes or requires organisations to somehow get to grips with what constitutes ‘people’s rights and freedoms’. Rights and freedoms (privacy?) are not easy to identify..
The ICO acknowledges this by stating in their blog:
Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.