Module 7: Personal Data Breaches

Introduction

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individual’s rights and freedoms, you must also inform those individuals without undue delay. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.

What is a personal breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate cause. It also means a personal breach is about more than just losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the integrity, confidentiality or availability of personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed.

Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.

Personal data breaches can include:

• Access by an unauthorised third party

• Deliberate or accidental action (or inaction) by a controller or processor;

• Sending personal data to an incorrect recipient;

• Computing devices containing personal data being lost or stolen;

• Alteration of personal data without permission; and

• Loss of availability of personal data.

What breaches do we need to notify the ICO about?

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be risk, then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should just document it.

In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:

‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as; loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned’

This means that a breach can have a range of adverse effects on individuals, which includes emotional distress and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.

So, on becoming aware of a breach, you should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.

How much time do we have to report a breach?

You must report a notifiable breach to the ICO without undue delay but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Checklists

Preparing for a personal data breach

• You should know how to recognise a personal data breach

• You should understand that a personal data breach isn’t only about loss or theft of personal data

• You have prepared a response plan for addressing any personal data breaches that occur.

• You have allocated responsibility for managing breaches to a dedicated person or team

• Your staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.

Responding to a personal data breach

• You should have in place a process to assess the likely risk to individuals as a result of a breach.

• You should know who the relevant supervisory authority for your processing activities is.

• You should have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if you don’t have all the details yet.

• You should know what information you must give the ICO about a breach.

• You should have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.

• You know you must inform affected individuals without undue delay.

• You should know what information about a breach you must provide to individuals and that you should provide advice to help them protect themselves from its effects.

• You should document all breaches, even if they don’t all need to be reported.

How much time do we have to report a breach?

You must report a notifiable breach to the ICO without undue delay but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

What information must a breach notification to the supervisory authority contain?

When reporting a breach, the GDPR says you must provide:

• A description of the nature of the personal data breach including, where possible:

– The categories and approximate number of individuals concerned; and

– The categories and approximate number of personal data records concerned;

• The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;

• A description of the likely consequences of the personal data breach; and

• A description of the measures taken, or proposed to be taken, to deal with the personal data breach including where appropriate the measures taken to mitigate any possible adverse effects.

What if we don’t have all the required information available yet?

The GDPR recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So, Article 34.4 allows you to provide the required information in phases, as long as this is done without further delay.

However, we expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. You must still notify us of the breach when you become aware of it and submit further information as soon as possible. If you know you won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when you expect to submit more information.

How do we notify a breach to the ICO?

If you need to report a breach to the ICO you can call them on 0303 123 1113 or follow the link below to report it through their website using the following link: https://ico.org.uk/for-organisations/report-a-breach

Remember. In the case of a breach affecting individuals in different EU countries, the ICO may not be the lead supervisory authority. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach.

When do we need to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher. In such cases, you need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.

You need to describe, in clear and plain language, the nature of the personal data and, at least:

• The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;

• A description of the likely consequences of the personal data breach; and

• A description of the measures taken or proposed to be taken to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. You should also remember that the ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the accountability principle.

Does the GDPR require us to take any other steps in response to a breach?

You should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO.

Article 35.5 requires you to document the facts relating to the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle and allows us to verify your organisation’s compliance with it’s notification duties under the GDPR.

As with any security incident, you should investigate whether or not the breach was a result of human error or a systemic issue and see how recurrence can be prevented – whether this is through better processes, further training or other corrective steps.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. The fine can be combined under the ICO’s other corrective powers under Article 58. Therefore, it is important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach, on time and provide all of the necessary details.

What else should I take into account?

It is important to be aware that you have additional notification obligations under other laws if you experience a personal data breach. For example:

• If you are a communications service provider, you must notify the ICO of any personal data breach within 24 hours under the Privacy and Electronic Communications Regulations (PECR)

• If you are a UK trust provider, you must notify the ICO of a security breach, which may include a personal data breach, within 24 hours under the Electronic Identification and Trust Services (eIDAS) Regulation.

• If your organisation is an operator of essential services or a digital service provider, you will have incident-reporting obligations under the NIS Directive. These are separate from personal data breach notification under the GDPR. If you suffer an incident that’s also a personal data breach, you will still need to report it to the ICO separately and you should use the GDPR process for doing so.

You may also need to consider notifying third parties such as the police, insurers, professional bodies or bank or credit card companies who can help reduce the risk of financial loss to individuals.