Talk Talk Telecom’s appeal in respect of the £1,000 penalty imposed  by the ICO for delayed personal data breach was dismissed on 30 August. The matter concerned a Talk Talk customer who gained  access to another person’s personal data though an online facility. The ICO recommends that companies send a notification to them within the 24-hour deadline acknowledging the breach, as well as stating  that an investigation is underway in accordance with Regulation 5A(2) of the Privacy and Electronic Communications Regulations 2003 and Article 2(2) of the European Commission Regulation No. 611/2013. They also expect to be kept regularly updated with details of the investigation. In this case, the customer complained on 18 November, but the ICO was only notified on the 1 December.

ICO judgment (PDF)