When data controllers are faced with a security breach - especially with regards to notifying the Information Commissioner's Office (ICO) - it is worth examining the conflicting elements of legal and regulatory disclosure requirements, as the interests of the company may not be wholly served by following the directives of the ICO. The ICO's guidelines are notification-oriented and arguably do not provide a best-interest reason to make that notification. If followed to the letter and without internal company consultation, data controllers could create a liability exposure to the regulator, as the ICO directs data controllers to disclose serious data breaches without consideration to the mitigation of corporate liability. The considerations the ICO requests for making a notification are: the potential harm to data subjects; the volume of personal data lost; and the sensitivity of that data.
展开▼