This blog in the series on the GDPR looks at the way data breaches should be dealt with by organisations that hold data (data controllers), in particular how such breaches should be reported and investigated. The timescale involved will be discussed along with the potential penalties for failure to react appropriately to a data breach.
Before moving on to the details of reporting a data breach it is necessary to define what a data breach is.
A data breach occurs when there is a breach of security that leads to the accidental or unlawful access to data that may result in destruction, loss, alteration, or unauthorised disclosure of data of a personal nature. The breach can occur through either a malicious or accidental action.
A key point to remember is that a data breach is not limited to electronic data, but also includes traditional paper files, address lists or any other form of recorded personal data.
Examples of data breaches include, but are not limited to:
- access by an unauthorised third party;
- action or inaction by a data controller or processor – whether or not the act was deliberate or accidental;
- sending personal data to an incorrect recipient;
- files or devices containing personal data being stolen or lost;
- unauthorised modification of personal data;
- denial of access to personal data.
Within Recital 87 of the GDPR there is a clear instruction that procedures must be in place to establish whether a security incident has led to a personal data breach, and what actions are subsequently required to address the breach, including the reporting required.
Under existing legislation some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. The GDPR widens the scope of the reporting requirements to include every organisation that suffers a data breach, and in some cases the organisation must now also report the breach to individuals affected by the breach in addition to their statutory obligation to report the breach to the Information Commissioners Office (ICO). The ICO must be notified of the breach without undue delay, and in any case within 72 hours of any breach being detected.
Both the ICO and the individuals concerned must be notified within 72 hours of a data breach being detected where it is likely that the breach will result in a risk to the rights and freedoms of individuals. The GDPR defines these as breaches that may lead to, with regard to an individual, discrimination, deterioration of reputation, financial loss or ‘any other significant economic or social disadvantage.’
Due to the reporting timescales involved it is imperative that organisations establish the extent of any security incident and, when a data breach has occurred, the likelihood and severity of the consequences to the rights and freedoms of individuals. Should it be deemed unlikely that a data breach affecting personal data has occurred during the security incident there is no need to notify the ICO; the decision not to report the incident and the justification for non-reporting should be documented and recorded. The need to report a security or data breach must be assessed on a case by case basis and all relevant factors recorded. Because a previous security incident was not reported to the ICO it should not be treated as a precedent for a subsequent incident.
All of the above is the responsibility of the data controller. Where organisations utilise the services of a third-party organisation to process data on their behalf (data processors), the data controller is still obliged to report a security incident or data breach suffered by that data processor. It is imperative that the data processor notifies the data controller without undue delay in order for the data controller to fulfil its data reporting obligations under the GDPR. For more details on this requirement please refer to Article 33(2) of the GDPR. Further, specific conditions have to be met in the contract between the data controller and data processor (see Article 28 of the GDPR for details and examples of the contract terms that should be in place between data controllers and data processors), which is beyond the scope of this blog article.
Having determined that there is a need to report a breach to the ICO, the report needs to include the following details:
A complete description of the nature of the data breach, the categories and approximate number of individuals affected, the approximate number of records concerned, the contact details of the organisation’s data protection officer, details of any other contact point where more information can be obtained, a description of the likely consequences of the data breach, and finally a detailed account of both the measures taken or proposed to be taken – with timescales – to deal with the data breach, and the measures taken to mitigate adverse consequences to the individuals affected.
It is permissible to make an incomplete report to the ICO within the 72 hour timescale providing there is sufficiently detailed mitigation and a realistic timescale included within the initial report setting out when the full details will be submitted.
In the situation where there is a significant risk to individuals due to a data breach, the data controller must notify individuals directly – even where it is their contracted data processor that has suffered the breach – without undue delay. The contents of the report to individuals must be written clearly and concisely while still being materially the same as the report submitted to the ICO.
The ICO website (www.ico.gov.uk) has full details on how to submit a data breach report.
The ICO recommends that that all security incidents, whether or not a data breach has occured, should be recorded and investigated to establish best practice for dealing with security incidents and for spotting trends within industry sectors.
Finally, the consequence of failing to report a statutorily reportable breach are very serious and should be noted. Article 58 of the GDPR allows for a fine of up to £10m or 2% of global turnover in addition to any fines subsequently imposed for the data breach. It is imperative therefore that organisations understand both when a data breach should be reported, and how such a breach is effectively and properly reported, to ensure that they are in the best position to meet their obligations if they should suffer a data breach.