Failure To Notify ICO Could Destroy Your Business


As a business in the 21st century, you probably store some sort of private data for individuals in the UK. Do you store: bank details, supplier details, customer addresses etc?

No matter what type of private data you store, if you hold any type of private data, you need to be registered with the ICO (The Information Commissioner’s Office)!

And in the event of a breach, you need to report the breach to the ICO.


Because the failure to notify ICO could destroy your business. But first…

What Is The ICO

The ICO, short for the Information Commissioner’s Office, plays a pivotal role in safeguarding the information and data protection rights of individuals in the United Kingdom.

They do this by:

Ensuring Lawful Data Storage and Offering Public Support

One of the ICO’s primary responsibilities is to oversee and regulate businesses across the UK, ensuring that they lawfully store private information and protect the public’s data. They are also there to actively assist the public in comprehending their rights regarding data protection.

As a member of the public, you can see what the ICO offers here.

Transparency Through the ‘Register of Fee Payers’

To enhance transparency and accountability to members of the public, the ICO maintains a comprehensive ‘Register of Fee Payers.’

This register is accessible to anyone in the public as it allows them to verify which businesses adhere to data protection laws AND prioritize their information security.

But, how does the ICO connect to cyberattacks when their main responsibilities are data protection of the public?


How Does the ICO Connect To Cybersecurity Breaches

When it comes to cyberattacks and data breaches, the ICO serves as the governing body that businesses must promptly notify in the event of a breach or loss of data.

Every business is required by law to notify the ICO of a breach within a 72-hour timeframe.

By reporting breaches to the ICO, businesses initiate an essential process that ensures compliance with data protection rules and regulations – while mitigating any potential damages they face.

Their Investigations

Once notified, the ICO conducts a thorough investigation to assess the extent to which your business has adhered to cybersecurity and data protection protocols.

This investigation is crucial in determining whether your business has complied with the rules and regulations set forth by various frameworks, including GDPR (General Data Protection Regulation) and the Data Protection Act.

An Example

To show the significance of complying with data protection regulations in the realm of cybersecurity, let’s consider an example.

Suppose your business fails to implement ‘adequate technical or organizational measures’, such as encryption, to safeguard private data. In this scenario, you may be held liable for non-compliance with data protection rules and it could potentially lead you to substantial fines and reputational damage!

The ICO’s Mission

Ultimately, the ICO’s primary objective is to ensure that businesses uphold their legal obligations and take every necessary measure to protect the public’s private information.

By enforcing compliance with regulations like GDPR and the Data Protection Act, the ICO plays a crucial role in maintaining the integrity of data protection practices and mitigating the risks posed by cyber threats.

Why Do You Need To Notify After Cyberattack

Notifying the ICO following a cyberattack is not merely a best practice; it is a legal requirement that all businesses in the UK must adhere to. By promptly reporting the incident within 72 hours of learning about the breach, you demonstrate your commitment to upholding data protection laws and fulfilling your responsibilities.

Protecting Individual Rights

The ICO’s involvement in the aftermath of a cyberattack is crucial to protect the rights of individuals and safeguard their data. By notifying the ICO, you let the public know that businesses across the UK prioritize the security and privacy of individuals’ information.

Establish Accountability

However, a failure to notify ICO after a cyberattack raises concerns about your commitment to protecting individual rights.

The ICO, as the regulatory authority, evaluates businesses based on their compliance with data protection laws. Failing to notify the ICO not only exposes your business to potential penalties but also highlights a lack of accountability – which can have far-reaching implications!

This can also harm you/ your business’s reputation.

If You Dont: Consequences To Your Business

When you fail to uphold data protection laws by neglecting to notify the ICO after a breach, your business is at risk.

Potential repercussions include financial penalties, legal ramifications, and significant damage to your brand’s integrity. Protecting the rights of individuals and fulfilling your obligations to the ICO is essential to avoid such detrimental consequences.

How Failure To Notify ICO Can Harm You

Failing to notify the ICO after a cyberattack can result in severe financial penalties, imposing a burden that no business wants to bear. The potential consequences include hefty fines, reaching as high as £8.2 million or 2% of your global turnover.

This staggering amount can be particularly devastating, especially if you have been asked for a ransom from a malicious actor just before!

How To Stop It From Harming You

Fortunately, there is a clear path to safeguarding your business.

Registering with the ICO and paying the monthly fee establishes your commitment to data protection. Additionally, timely notification to the ICO following a breach (within the 72-hour window) is crucial to demonstrate your compliance with the law and mitigate the risk of substantial fines.

The Value of Compliance

The importance of adhering to data protection laws and promptly notifying the ICO cannot be overstated.

The cost of non-compliance far exceeds the relatively small monthly fee, making it a prudent investment in protecting your business from crippling financial consequences. By prioritizing compliance and promptly reporting breaches, you actively safeguard your reputation, financial stability, and long-term viability.


Are You Registered?

If you are not registered/ paying your fee for the ICO already and you have a breach, you could also face a penalty of £400 to £4,000 – even if you notify the ICO within 72 hours!

You need to pay a fee of £40 to £2,900 per month, although, most organisations in the UK will need to pay just £40-60 per month.

There are exemptions for charities and certain other businesses; you can find out if you need to pay the fine on the ICO’s ‘Self Assessment’.  Although there are exceptions to payment, every business that operates within the UK still needs to register for the ICO.

It’s not worth the risk of not being registered.


So, it is always better to pay for the ICO so that you can avoid hefty fines.

Register for the ICO here.

More Cybersecurity Help

If you need some more help with your cybersecurity, contact us here at Jera.

Here at Jera, we work as an outsourced IT security company to keep your mind at ease about your cybersecurity. You never have to worry about keeping up with the latest in cybersecurity as we do all that for you as your IT security provider!

Contact us now for more information.