Breach Reporting under GDPR: What You Need to Know
One of the changes to be introduced under the General Data Protection Regulation (GDPR) is the requirement to report breaches to the Information Commissioners Office (ICO) or the data subject once certain conditions have been met, namely a personal data breach.
A personal data breach is exactly what you think it would be, losing personal data. However, it is slightly wider than that, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. So, it’s slightly more than only losing data, unlawful access or incorrect alteration would constitute a personal data breach as well.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO, if required.
One myth is that breaches “must be reported within 72 hours”. This is not strictly true, Article 33 states “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”. This strictly reads that there is a target of 72 hours but, if it is not possible to report within that time, there will not have been a breach of GDPR.
Instead firms should:
Ensure they have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
After each breach, establish the likelihood and severity of the resulting risk on the data subject's rights and freedoms, if it is likely there is a risk to the person's rights and freedoms then you should notify the ICO.
Where you have made a decision not to notify the ICO following a breach or incident you should record your reasons for not doing so.
When assessing the rights and freedoms you should take into account recital 85 which says, “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
Ensure processors inform them of data breaches to enable controllers to fulfil their obligations in relation to the breach reporting – this requirement must be built into your supplier agreements.
Make a record of all breaches, regardless of whether or not they need to be reported to the ICO. Article 33(5) requires you to document the facts relating to the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle, and allows us to verify your organisation’s compliance with its notification duties under the GDPR.
As with any security incident, you should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.
But what about notifying the data subjects themselves?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
We have released a short course on GDPR explaining breach reporting but also many other aspects, to access this course please sign-up on our Resource Downloads page.