A data breach is an incident in which personal data is lost, disclosed, altered or destroyed. The GDPR imposes a duty to record data breaches and in some circumstances report data breaches to the relevant supervisory authority.
Definition Under the GDPR
Article 33 provides that where a personal data breach results in a “risk to the rights and freedoms of natural persons” the controller must notify the relevant supervisory authority of the breach “without undue delay and, where feasible, not later than 72 hours after having become aware [of the breach]”. Where the risk to the rights and freedoms of natural persons is high, the controller must also inform the data subject of the breach.
A processor must notify the controller of a personal data breach “without undue delay” but is not required to carry out any assessment of the breach prior to informing the controller. Processors are also not required to report directly to the supervisory authority, or to data subjects.
The GDPR requires organisations to keep records of all data breaches, whether or not they are notifiable.
What Does the GDPR Definition Really Mean?
Under the GDPR, a personal data breach is defined as an incident where there is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed’. Examples of personal data breaches include:
- Unauthorised access by a third party (such as a hacker);
- Sending personal data to an incorrect recipient (perhaps by sending an email to the wrong person or by sending post to the wrong address);
- The loss or theft of personal devices (such as a mobile or laptop) containing data;
- The accidental or deliberate loss or alteration of personal data.
What are the Significant Changes Brought in by the GDPR?
The GDPR imposes a notification requirement where a data breach is likely to result in a risk to the rights and freedoms of the individual. Therefore a breach that is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage needs to be notified to the relevant supervisory authority. Where the risk to the rights and freedoms of the individual is “high”, the individual must also be notified.
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of the breach. The GDPR provides that the information may be provided in phases, where a breach cannot be fully investigated within that time period. In the event that a notification is not made within the 72 hour time frame, the notification must be accompanied by reasons for the delay.
A notification made under this provision needs to contain prescribed information such as the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. It also needs to set out the contact details of the data protection officer, the likely consequences of the breach and the measures taken to address the breach.
In addition to the notification requirements, records must be kept of all data breaches along with remedial actions taken and the ICO will use these records kept to determine whether a controller is compliant with its obligations.
What Effect has this had on UK Businesses?
The requirement to notify is a new obligation imposed by the GDPR which did not exist under the previous data protection legislation. The notification requirement has led to an increased burden on UK businesses to identify, record, assess the seriousness and, if required, report data breaches. The decision to notify (or not notify) the relevant supervisory authority will need to be assessed on a case by case basis. For example, the loss of a customer’s credit card details leaving them at risk of theft would need to be reported to the relevant supervisory authority. However, the accidental disclosure of a staff telephone list may not meet the notification threshold. These are clear examples but in practice, the decision making process of the seriousness of the risks to individuals rights and freedoms may be more problematic to assess. Therefore, appropriate procedures need to be in place to manage this decision making process and to complete it within the 72 hour time frame.
Failure to notify a breach where there was a requirement to do so can result in a significant fine of 10 million Euros or 2 percent of your company’s global turnover, whichever is higher.
What Should my Business be Doing?
You should ensure that your staff are fully trained to identify data breaches. In particular you should ensure that they recognise the different types of data breach covered by the GDPR.
You should review your internal breach reporting procedure and make sure that it meets the current standards and that records are kept for all data breaches whether notified or not. It is important for serious breaches to have a robust breach detection, investigation and reporting procedure in place. Can you meet the 72 hour time limit? Do you have sufficient procedures in place to meet the notification requirements?