A data breach is an incident in which personal data is lost, disclosed, altered or destroyed. The GDPR imposes a duty to record data breaches and in some circumstances report data breaches to the relevant supervisory authority.
Definition under the GDPR
Article 33 provides that where a personal data breach results in a “risk to the rights and freedoms of natural persons” the controller must notify the relevant supervisory authority of the breach “without undue delay and, where feasible, not later than 72 hours after having become aware [of the breach]”. Where the risk to the rights and freedoms of natural persons is high, the controller must also inform the data subject of the breach.
A processor must notify the controller of a personal data breach “without undue delay” but is not required to carry out any assessment of the breach prior to informing the controller. Processors are also not required to report directly to the supervisory authority, or to data subjects.
The GDPR requires organisations to keep records of all data breaches, whether or not they are notifiable.
What does the GDPR definition really mean?
Under the GDPR, a personal data breach is defined as an incident where there is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed’. Examples of personal data breaches include:
- Unauthorised access by a third party (such as a hacker);
- Sending personal data to an incorrect recipient (perhaps by sending an email to the wrong person or by sending post to the wrong address);
- The loss or theft of personal devices (such as a mobile or laptop) containing data;
- The accidental or deliberate loss or alteration of personal data.
What are the significant changes brought in by the GDPR?
The GDPR imposes a notification requirement where a data breach is likely to result in a risk to the rights and freedoms of the individual. Therefore a breach that is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage needs to be notified to the relevant supervisory authority. Where the risk to the rights and freedoms of the individual is “high”, the individual must also be notified.
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of the breach. The GDPR provides that the information may be provided in phases, where a breach cannot be fully investigated within that time period. In the event that a notification is not made within the 72 hour time frame, the notification must be accompanied by reasons for the delay.
A notification made under this provision needs to contain prescribed information such as the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. It also needs to set out the contact details of the data protection officer, the likely consequences of the breach and the measures taken to address the breach.
In addition to the notification requirements, records must be kept of all data breaches along with remedial actions taken and the ICO will use these records kept to determine whether a controller is compliant with its obligations.
What effect has this had on UK businesses?
The requirement to notify is a new obligation imposed by the GDPR which did not exist under the previous data protection legislation. The notification requirement has led to an increased burden on UK businesses to identify, record, assess the seriousness and, if required, report data breaches. The decision to notify (or not notify) the relevant supervisory authority will need to be assessed on a case by case basis. For example, the loss of a customer’s credit card details leaving them at risk of theft would need to be reported to the relevant supervisory authority. However, the accidental disclosure of a staff telephone list may not meet the notification threshold. These are clear examples but in practice, the decision making process of the seriousness of the risks to individuals rights and freedoms may be more problematic to assess. Therefore, appropriate procedures need to be in place to manage this decision making process and to complete it within the 72 hour time frame.
Failure to notify a breach where there was a requirement to do so can result in a significant fine of 10 million Euros or 2 percent of your company’s global turnover, whichever is higher.
What should my business be doing?
You should ensure that your staff are fully trained to identify data breaches. In particular you should ensure that they recognise the different types of data breach covered by the GDPR.
You should review your internal breach reporting procedure and make sure that it meets the current standards and that records are kept for all data breaches whether notified or not. It is important for serious breaches to have a robust breach detection, investigation and reporting procedure in place. Can you meet the 72 hour time limit? Do you have sufficient procedures in place to meet the notification requirements?
Which incidents trigger notification?
The requirement to notify applies to ‘personal data breaches’. These are defined as incidents where there is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. All data breaches must be notified to the ICO unless it can be shown that the breach did not result in a risk to the rights and freedoms of natural persons.
Do data processors have to notify data controllers of all breaches?
Yes. The GDPR does not provide any exceptions and all reports must be made “without undue delay”. Ideally, any written agreement between controller and processor should specify a timeframe for the processor to notify the controller.
Do data controllers have to notify the supervisory authority of all breaches?
Not always. Data controllers must assess and record all data breaches. Breaches must be reported to the supervisory authority where the breach is likely to result in a risk to the rights and freedoms of an individual. Notifications must be made without undue delay and, where feasible, not later than 72 hours after you became aware of the breach. If you take longer than 72 hours you must provide reasons for the delay.
An example of a breach would be for a lost laptop containing personal data such as customer records. If the laptop is encrypted and particularly if external deletion of all of the information on the laptop was possible, this would be a recordable data breach but would not be notifiable. If the laptop did not have security measures such that the personal data was potentially accessible, then the breach would need to be notified to the ICO.
Are there any exemptions to the requirement to communicate the breach to the data subject?
Yes. The breach only has to be reported to the data subject if the risk to their rights and freedoms is high. Even still, the breach may not need to be communicated to the individual where:
- Appropriate technical measures or organisational protections were in the place at the time of the breach e.g. encryption
- The controller has taken immediate steps to ensure that the risk is addressed such that the risk is unlikely to materialise
- The communication would involve disproportionate effort. In this instance a public communication (or similar) to inform data subjects in an equally effective manner shall be used.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
- ICO means the Information Commissioner’s Office, the UK’s supervisory authority
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.