A data breach is an incident in which personal data is lost, disclosed, altered or destroyed. The GDPR imposes new duties to record data breaches and in some circumstances report data breaches to the relevant supervisory authority.
Definition under the DPA
There is no legal obligation under the DPA to report a data breach to the ICO (although other legislation, for example the PECR provides notification requirements for the providers of specific services).
What does the DPA definition really mean?
There is no mandatory duty to notify the ICO of a data breach; however, it is recommended that serious breaches are reported as the ICO will take into account a voluntary report if they impose a penalty.
Definition under the GDPR
Article 33 provides that where a personal data breach results in a “risk to the rights and freedoms of natural persons” the controller must notify the relevant supervisory authority of the breach “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”. The controller must also communicate to the data subject to inform them of the breach.
A processor must notify the controller of a personal data breach “without undue delay” but is not required to report directly to the supervisory authority.
What does the GDPR definition really mean?
The GDPR requires organisations to keep records of all data breaches. Notification of data breaches to the ICO is required if there is a risk to the rights and freedoms of individuals. Where there is a ‘high risk’ to the rights and freedoms of individuals, the individuals concerned must also be notified.
What are the significant differences between the DPA and the GDPR?
The GDPR imposes a new notification requirement where a data breach is likely to result in a risk to the rights and freedoms of the individual. Therefore a breach that is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage needs to be notified to the relevant supervisory authority. Where the risk to the rights and freedoms of the individual is “high”, the individual must also be notified.
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of the breach. The GDPR provides that the information may be provided in phases, where a breach cannot be fully investigated within that time period. In the event that a notification is not made within the 72 hour time frame, the notification must be accompanied by reasons for the delay.
A notification made under this provision needs to contain prescribed information such as the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. It also needs to set out the contact details of the data protection officer, the likely consequences of the breach and the measures taken to address the breach.
In addition to the notification requirements, records must be kept of all data breaches along with remedial actions taken and the ICO will use these records kept to determine whether a controller is compliant with its obligations.
What effect will this have on UK businesses?
Actually, very little.
What effect will this have on non-UK businesses?
The GDPR imposes a new and increased burden on UK businesses to identify, record, assess the seriousness and, if required, report data breaches. The decision to notify (or not notify) the relevant supervisory authority will need to be assessed on a case by case basis. For example, the loss of a customer’s credit card details leaving them at risk of theft would need to be reported to the relevant supervisory authority. However, the accidental disclosure of a staff telephone list may not meet the notification threshold. These are clear examples but in practice, the decision making process of the seriousness of the risks to individuals rights and freedoms may be more problematic to assess. Therefore, appropriate procedures need to be in place to manage this decision making process and to complete it within the 72 hour time frame.
Failure to notify a breach where there was a requirement to do so can result in a significant fine of 10 million Euros or 2 percent of your company’s global turnover, whichever is higher.
What will my business need to do?
You should ensure that your staff are fully trained to identify data breaches. In particular you should ensure that they recognise the different types of data breach covered by the GDPR.
You should review your internal breach reporting procedure and make sure that it meets the new standards and that records are kept for all data breaches whether notified or not. It is important for serious breaches to have a robust breach detection, investigation and reporting procedure in place. Can you meet the 72 hour time limit? Do you have sufficient procedures in place to meet the notification requirements?
Which incidents trigger notification?
The new GDPR regime applies to ‘personal data breaches’. These are defined as incidents where there is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Do data processors have to notify data controllers of all breaches?
Yes. The GDPR does not provide any exceptions and all reports must be made “without undue delay”. The European Data Protection Board is expected to provide further guidance on exemptions and the meaning of “without undue delay”.
Do data controllers have to notify the supervisory authority of all breaches?
Not always. Data controllers must assess and record all data breaches. Breaches must be reported to the supervisory authority where the breach is likely to result in a risk to the rights and freedoms of an individual. Notifications must be made without undue delay and, where feasible, not later than 72 hours after you became aware of the breach. The European Data Protection Board is also expected to provide guidance on the meaning of “undue delay” in this context, and the particular circumstances in which a data controller is required to notify of a personal data breach.
Are there any exemptions to the requirement to communicate the breach to the data subject?
Yes. The breach does not need to be communicated to the individual where:
- The risk to the rights and freedoms of the data subject are not ‘high’.
- Appropriate technical measures or organisational protections were in the place at the time of the breach e.g. encryption
- The communication would involve disproportionate effort. In this instance a public communication (or similar) to inform data subjects in an equally effective manner shall be used.
An example of a breach would be for a lost laptop containing personal data such as customer records. If the laptop is encrypted and particularly if external deletion of all of the information on the laptop was possible, this would be a recordable data breach but would not be notifiable. If the laptop did not have security measures such that the personal data was potentially accessible, then the breach would need to be notified to the ICO.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
This briefing is based on the law as it stands in July 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.