GDPR - Data breaches
Technical blog by Pauline Scott, Technical Co-ordinator | 17 May 2018
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. This must be done no later than 72 hours after the organisation becomes aware of the breach. Where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the organisation must also inform those individuals without undue delay. Regardless of whether you are required to report the breach or not, you need to be able to justify this decision, so you should document it.
Failing to notify the regulator (ICO) of a breach, when required to do so, can result in a significant fine up to 10 million euros, or 2 per cent of your global turnover, with whatever sanction the ICO deems appropriate as a result of the breach i.e. the fine can be combined with the ICO’s other corrective powers under Article 58. There is also the additional factor of a requirement to compensate individual data subjects due harm suffered through the data breach. The impact of a breach therefore has potentially significant financial consequences.
Article 33 of the GDPR sets out the details that must be provided when reporting a breach and allows an organisation to provide this information later if it doesn’t have all the details available at that time. The ICO has confirmed that it does not expect to receive comprehensive reports at the outset of an incident, but it will want to know the potential scope and cause of the breach, planned mitigation actions, and how the organisation plans to address the problem. Article 34(4) allows you to provide the required information in phases, as long as this is done without undue further delay.
A personal data breach is:
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples provided by the ICO include:
- access to an unauthorised third party
- deliberate or accidental action (or inaction) by a controller or processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission; and
- loss of availability of personal data.
It is important to be aware that you may have additional notification obligations under other laws if you experience a personal data breach like the Privacy and Electronic Communications Regulation (PECR) for example.
So, saying all that, in preparation for 25th May have you or are you considering:
- what constitutes a serious incident, both in the context of the organisation’s data and your customers?
- putting a process in place to notify the ICO of a breach within 72 hours of becoming aware of it, even if all the details are not available?
- putting procedures in place, with appropriate allocation of roles and responsibilities for detection, investigation and internal reporting of breaches, so that decisions can be made promptly regarding notification to the relevant supervisory authority or the public?
- an inventory or log to record all personal data breaches (regardless of whether or not you are required to notify) including the elements it must contain?
- what actions will be taken to prevent recurrence such as improving processes, further training or other corrective steps following an investigation of a breach?
- is everyone in the organisation aware of the content and location of its policies and procedures relating to the processing of personal data?
In relation to training:
- has GDPR awareness training been provided that would include data breach reporting?
- has data protection and data handling training been provided?
- does training include full-time and part time staff, third-party contractors, temporary employees and volunteers whose job involves processing personal data?
- have staff been trained to understand exactly what constitutes a data breach?
- are records maintained to show that the training has been undertaken by whom and to whom?
- Is there a process in place starting with employees’ inductions and reinforced by regular updates throughout the year or when updates to policies take place or whenever staff-related incidents occur?
Information Commissioner’s Office
Personal data breaches
Content reviewed: 10 January 2022