Change to regulation concerning communication service providers

20 Jan 2023 01:06 PM

The Information Commissioner’s Office (ICO) has written to communication service providers (CSPs) about their obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).

Regulation 5A requires a CSP to notify the ICO within 24 hours of any personal data breach, no matter how small, that has occurred. If a report is not received in time, the ICO can issue a fixed penalty of £1,000 to a CSP.

The ICO has decided to stop enforcing personal data breach reports made under Regulation 5A. That’s because our analysis of these reports indicates that incidents usually relate to human error involving one individual and are quickly resolved, and the providers put remedial measures in place to ensure the error does not happen again.

This decision will not affect the duty of CSPs to report significant personal data breaches within 72 hours in line with UK GDPR.

As part of ICO25 – our three-year strategic plan – we are aiming to reduce data protection compliance burdens and costs for businesses by providing regulatory clarity, support and guidance, as well as focussing our resources where we can have the greatest impact.

The change to how we regulate 5A will reduce what the ICO believes is a disproportionate burden on CSPs to report low risk incidents. The ICO currently receives notification of around 10,000 incidents per year under the regulation. We will still expect CSPs to report high risk incidents and we will review them in line with UK GDPR.

This change will also allow the ICO to better use resources on investigations where significant harm has been, or is likely to be, caused to individuals and where we can have the greatest impact as a proportionate regulator.